WoW ..a lot going on here!!

I’m drunk now, so bare with me ..

If protocol is TCP and destination is 192.168.2.196 and input interface is eth0 and destination port is 1024:65535 and source port is 25, Accept.
as DreamDown said, you want everyone to connect to any port between 1024 and 65535 if their source port is 25 ?? Or do you want them to connect to port 25, the port the smtp will listen to?

Back to basics. You said it is behind a NAT router. How is this configured? You should be NATing port 25 to the mail server ( port 25 ) already, not allowing any other port requests from outside to be going to it? What interface is connected to the router? ( I suppose eth0 is connected to the LAN you want to access the mail server: ie. eth0 is facing the LAN? )


Ok, now back to the firewall.
First I must say here Logging everything will help you both identify problems with the firewall when you set it up and also keep track of who and what is connecting.

What cacosapo said about the INPUT should work, but I would not be using the stateful part of Netfilter quite yet.
To allow connections to port 25 on eth0
iptables -A INPUT -p tcp -i eth0 --dport 25 -j LOG --log-level info --log-prefix "smtp in eth0: "
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT

how can you tunnel a connection through port 25 to a different service? I didn't know that was possible..
Of course it is, if they find another exploit! That port should be bound to the smtp engine.

If eth1 is facing the NAT router, to connect to other outside mail servers
iptables -A OUTPUT -p tcp -i eth1 --dport 25 -j LOG --log-level info --log-prefix "smtp out to net: "
iptables -A OUTPUT -p tcp -i eth1 --dport 25 -j ACCEPT

Here, correct me if I am wrong, your mail server should be using a different port ( between 1024 and 65535 ) to send its information to other servers listening to port 25.

So you have your LAN connecting to the smtp box via eth0, your box connecting to outside smtp servers via eth1 ... but what about the other way around? What about outside servers trying to relay incoming mail to your server?

iptables -A INPUT -p tcp -i eth1 --dport 25 -j LOG --log-level info --log-prefix "smtp in from net: "
iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT

The requests from the LAN, both sending and receiving should still originate from the LAN and go to port 25, thus using the above rule.

THEN, to maintain the connections, both inside and outside the LAN you would use the “stateful” properties of Netfilter:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

those two rules at the end of your post would work for all services then?
Yes! Just remember, Netfilter ( and IPTables ) works in a top-down method. Those rules would be AFTER the rules which allowed the original connections.

Also note you should include such things as

At the begining to clear all rules and make the default policy to drop everything you don’t explicitly allow:

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# ------Set default policies for packets going through this firewall box-------- #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

at the end of your firewall rules:

# ---log all packets that hit the default policy ---- #
iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "


Hope this helps ..... and I didn’t screw it up while drunk!