Помогите с ошибками в правилах iptables
Привет, ребят помогите найти ошибки. Хотелось бы еще защититься от сканирования портов. Мои правила (реальные ip заменил):
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH-RDP - [0:0]
#-A OUTPUT -o eth1 -p icmp -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s 192.168.0.0/22 -j ACCEPT
#adobe
-A INPUT -i lo -p tcp --dport 443 -j DROP
-A INPUT -i lo -j ACCEPT
#-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp --dport 1723 -j ACCEPT
#-A INPUT -p tcp -m conntrack -m hashlimit --dport 22222 -j SSH-RDP --ctstate NEW --hashlimit-upto 3/hour --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name SSH
-A INPUT -j LOG --log-level debug --log-prefix «DROP input packet: »
####################################################################################
#razreshaem uzhe ustanovlennie soedineniya
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #razreshaem operatoram vesj inet
-A FORWARD -s 192.168.1.138 -i eth0 -j ACCEPT
#razreshaem nuzhnie porti
-A FORWARD -s 192.168.0.0/22 -i eth0 -p tcp -m multiport --dports 21,25,110,143,443,843,1443,5672,5190,5222,8000,8080,9091 -j ACCEPT
-A FORWARD -s 192.168.0.0/22 -i eth0 -p tcp -m multiport --dports 80,1723,3389 -j ACCEPT
#Adobe
-A FORWARD -s 192.168.0.0/22 -i eth0 -p tcp -m multiport --dports 1935 -j ACCEPT
#UDP
-A FORWARD -s 192.168.0.0/22 -i eth0 -p udp -j ACCEPT
#Reg
#-A FORWARD -d 192.168.2.0/24 -i eth1 -p tcp -m multiport --dports 32423 -j ACCEPT
#Reg2
#-A FORWARD -d 192.168.1.33/32 -i eth1 -p tcp -m tcp --dport 3456 -j ACCEPT
#kom
-A FORWARD -s 10.10.10.2/32 -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/22 -d 10.10.10.0/30 -i eth0 -j ACCEPT
#vnutrennie pakety
-A FORWARD -s 192.168.0.0/22 -d 192.168.0.0/22 -i eth0 -j ACCEPT
#ping-pong
-A FORWARD -p icmp -j ACCEPT
#VPN
-A FORWARD -p gre -j ACCEPT
#Adobe
-A FORWARD -i eth0 -s 192.168.0.0/16 -d 192.150.16.0/24 -j
ACCEPT
#fonts
-A FORWARD -i eth0 -s 192.168.0.0/16 -d 74.84.201.72 -j ACCEPT
#RDP
-A FORWARD -p tcp -m conntrack -m hashlimit -d 192.168.1.10 --dport 3389 -j SSH-RDP --ctstate NEW --hashlimit-upto 10/hour --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name RDP
-A FORWARD -j LOG --log-level debug --log-prefix «DROP forward packet: »
#ssh-rdp:
-A SSH-RDP -j LOG --log-level debug --log-prefix «SSH-RDP connect: »
-A SSH-RDP -j ACCEPT
#cams
-A FORWARD -d 192.168.1.33/32 -p tcp -m multiport --dports 3456,3456 -j ACCEPT
-A FORWARD -s 192.168.0.0/22 -p tcp -m multiport --dports 3456,3456 -j ACCEPT
#tax
-A FORWARD -s 192.168.1.0/24 -d 194.195.196.197 -p tcp --dport 7777 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/22 -o eth1 -j SNAT --to-source 173.174.175.176
-A POSTROUTING -s 192.168.0.0/22 -o eth2 -j SNAT --to-source 165.166.167.168
-A POSTROUTING -s 10.10.10.2 -o eth1 -j SNAT --to-source 173.174.175.176
-A POSTROUTING -s 10.10.10.2 -o eth2 -j SNAT --to-source 165.166.167.168
-A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
#-A PREROUTING -i eth2 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
#cams
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3456 -j DNAT --to-destination 192.168.1.33:3456
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3456 -j DNAT --to-destination 192.168.1.33:3456
-A PREROUTING -i eth2 -p tcp -m tcp --dport 3456 -j DNAT --to-destination 192.168.1.33:3456
-A PREROUTING -i eth2 -p tcp -m tcp --dport 3456 -j DNAT --to-destination 192.168.1.33:3456
-A PREROUTING -p tcp -d 173.174.175.176--dport 3456 -j DNAT --to-destination 192.168.1.33:3456
#-A PREROUTING -p tcp -d 173.174.175.176--dport 3456 -j DNAT --to-destination 192.168.1.33:3456
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p icmp -j MARK --set-mark 10
COMMIT
# Completed