okay, first of all you shouldn't do it in a script, instead you should be modifying /etc/sysconfig/iptables and using /etc/init.d/iptables start/stop
and add ip_nat_ftp to the proper spot (modules to load) in /etc/sysconfig/iptables-config
next you need to rewrite the following for iptables-save/restore format
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
[spot for nat rules]
COMMIT
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
[spot for filter rules]
COMMIT
[in the filter rules:] -A INPUT -i lo -j ACCEPT
# the following is _not_ nice -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP
-A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT -A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT
[above in the nat spot] -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80 -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443
[again in the filter spot] -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT -A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT
You _DO_ _NOT_ WANT TO ACCEPT everything from port 53 - I can break through this firewall in 5 seconds. -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
same here, plus squid doesn't use udp -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
the default should be to drop
-A INPUT -j LOG --log-level info -A OUTPUT -j LOG --log-level info -A FORWARD -j LOG --log-level info
[in nat again] -A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE
this should be in /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
do the above changes and repost with what you have and we'll go from there...
Cheers, MaZe