Next I modified a script, which I found somewhere on the web, named setipwall that sets up proper packet filtering rules on Hilltop and must be run each time Hilltop is rebooted.
#!/bin/bash
# Acceptable ports
APORTS="20 21 22 25 53 80 110 143 3128"
# Reject ports Kazaa(1214), Gnnutella (6346 6347)
RPORTS="1214 6346 6347"
EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.0.252 # Local Host IP
LOCAL_NET=192.168.0.0/24 # Local Network
EXTERNAL_NET=63.250.102.168/29 # External Network
PROXY_IP=192.168.0.252 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=3128 # Proxy Server Port No
# Clear all iptables
iptables -t filter -F
iptables -t nat -F
# Masquerade
iptables -t nat -A POSTROUTING -o $EX_ETH -j MASQUERADE
# Transparent Proxy
iptables -t nat -A PREROUTING -i $IN_ETH \
-p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT
# Accept
for AP in $APORTS
do
iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -j ACCEPT
iptables -A INPUT -i $EX_ETH -p udp --dport $AP -j ACCEPT
done
# Reject
for RP in $RPORTS
do
iptables -A INPUT -p tcp --dport $RP -j REJECT
iptables -A INPUT -p udp --dport $RP -j REJECT
done
# Any other packets must be dropped.
iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP
# FORWARD Chain
iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward