I used to write iptables by hand…. In particular in the DENY everything then poke the holes through.
I don’t know if anyone on the list is using it, but I highly recommend “Firehol” http://firehol.sourceforge.net
It generates the iptables commands from a separate configuration file that is really easy to understand and use. I use it as my network firewall/router and handle multiple interfaces (including vlans), ip forwarding/masquerading, a wireless DMZ, and eventually a full DMZ. I also do destination nat mangling with it as well. There are redhat compatable RPMS that you can just install from. In particular, it has a “try” mode so if you are modifying the configuration remotely and do something to lock yourself out it will revert to your previous firewall state after 30 seconds unless you “commit” the changes. It also is working beautifully with my squidguard proxy setup on the same host (transparent works nicely), and it should be fairly easy to lock down my outbound connection ports in the near future using firehol (and a whole lot easier to reverse the process if restricting ports causes us problems).
Have a great weekend!
Hilton Head Preparatory School