I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if you're not using ipv6 and I'd suggest adding -i dev and -o dev to any rules where possible (-i in INPUT and FORWARD being input device and -o in FORWARD and OUTPUT being output device)
this seems _very_ dangerous, what is this supposed to achieve? is this needed?
$IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT
drop these two:
$IPTABLES -A INPUT -p 51 -j ACCEPT $IPTABLES -A INPUT -p 50 -j ACCEPT
this should have probably also have "-i $EXTIF" and "-s $OTHER-VPN-GLOBAL-IP"
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
OUTPUT is usually safe :)
you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy device as the parameters)
$IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT
not sure about this...
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -d! 192.168.100.0/24 -j SNAT --to $EXTIP
anyways, cheers, MaZe.