Heres a few questions i have about iptables, if you can answer any of them i'd appriciate it. I can't really start using linux untill i have it secured...

1. If i have a few PC's connected to a Linksys Fast Ethernet Cable/DSL router. Would Eth1 be the interface to the router?

2. If the router is going to be handling NAT i wouldn't have to worry about creating any NAT related iptables rules right?

3. If i type in a iptables rule how can i make it automatically take effect without rebooting?

4. Is there any reason why i should use iptables-save and iptables-restore instead of editing /etc/rc.d/rc.firewall?

5. Here is a example of a way to be invisible to traceroutes:
iptables -t mangle -A PREROUTING -p TCP --dport 33434:33542 -j \
TTL --ttl-inc 1
How can changing the TTL make you invsible to traceroutes? Why did he choose to do it on that port range? Also do you have to increment it by only 1 to be invisible to traceroutes?

6. Which is better DROP or REJECT? I always thought DROP was better but after reading the "Iptables Tutorial" it seems like REJECT would be better since it can block port scanners and it wouldn't leave dead sockets on either host.

Hmm well i guess as far as having the firewall settings take effect without having to reboot i guess that would be a reason to use the iptables-save and restore commands... :o

1. Eth1 could be either/or LAN/WAN that is your choice of how you configure it

2. If router is handling NAT no I do not believe you need additional NAT rules in iptables

3. Typing in the command: /sbin/iptables blah blah blah
automatically runs that rule, when you reboot you lose it unless you save it in the iptables script.

4. No idea...I edit /etc/rc.d/rc.firewall

5. If I am not mistakes those are the ports used by traceroute. No idea about the TTL.

6. Depends, Drop does not send back a message to the sender therefore if they are trying to DDOS you with UDP or ICMP packets if you reject you still lose bandwidth replying so Dropping uses no bandwidth. About the port scanner part I have no idea.

Thats cleared up a bunch of stuff for me, thank you. :)

Alright now i got a few more questions...

1. Does the "\" in this rule just combine the stuff before and after the "\"?
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m --state NEW -j REJECT --reject-with tcp-reset

2. Would i find errors about iptables like these in my syslog log?
insmod: iptable_filter: no module by that name found
iptables: No chain/target/match by that name

3. Going back to the external interface question... if i'm broadband, have 1 NIC in my computer, and am connected to a LinkSys FastEthernet Cable/DSL router would i have a external interface that i should set rules for in iptables? I know dialup users have have a external interface of ppp0 that they can configure, but don't know what (if any) it would be in my case.