Hi Derek,

How are you?

We didn't really cover if you are using a singular dsl device or a small switch/dsl modem on the upstream? 

So if you have your two boxes (Ladmo and Wallace) connected via a crossover cable or small switch to eth1 on Wallace which has eth0 connected to your dsl, that's good.

If you have both boxes connected to the dsl switch/modem, there might be a problem?

The best way to verify your settings is via nmap from outside. 

Assumptions without real tests are the basis of bad security everywhere.

nmap each server from the other server.  Run a nmap from a shell or linux box externally.

Also run this tool on the Windows system to verify what is really running:
http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video

See my comments below:

On Mon, Aug 6, 2012 at 11:06 PM, Derek Trotter <expat.arizonan@gmail.com> wrote:
Recently I got dsl and decided to have my linux box pass on traffic to my windows box rather than buying a firewall.  I did the research online and figured out how to make everything work like I wanted. Is there anything I've done wrong?  Does anyone have any suggestions to improve it?  Below is what I put into rc.local including comments in case I forget later what each part does.  Wallace is the linux box.  Ladmo is the windows box.  Thanks.

You can tighten up your source and destination by network subnet also: 
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# The 3 above allow for nat and forwarding to Ladmo.  This allows me to do stuff online from Ladmo.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to 192.168.0.2:40998
# Allows bittorrent clients on the net to contact mine.

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allows me to surf the web from Wallace.

iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#allows dns to work on Wallace.

#Opening both tcp and udp DNS (from EVERYONE) will allow me to do all sorts of nepharious things via DNS (trusted port) attack:
#http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
#http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
#http://www.exploit-db.com/exploits/16748/
#At the very least open instead source and destination udp only to your DNS servers and use random ports:

iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT

#Add logging:  You need both rules
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -i eth0 -j DROP
#Drops unwanted incoming packets.
---------------------------------------------------
 
Adding a list of RFC 1419 private ip addresses might be nice but if you tighten up your nat masquerade rule, they won't be necessary.

Also, if you can access the web via port 443, I would be worried that you are getting packets from a switch on the other port eth1 outbound/inbound?

Test it...

--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer