-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s xx.xx.xx.xx/32-p tcp -m multiport –dports 25,587,465 -j LOG –log-prefix “FORWARD:DROP:” –log-level 6
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 465 -m limit –limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 587 -m limit –limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 25 -m limit –limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 465 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 587 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp –dport 25 -j DROP

iptables -A INPUT -s 192.100.165.0/24 -j DROP

iptables -A INPUT -s 192.10.0.0/16 -j DROP

iptables -A INPUT -s 192.0.0.0/8 -j DROP

iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

/usr/libexec/iptables/iptables.init save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

sudo apt-get install ulogd

If you want log dropped packets, lets do this:

-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j ULOG
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j DROP

iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination IP:80

iptables-save > /etc/sysconfig/iptables
iptables-restore