#!/usr/bin/bash
# Firewall Script (C) 2003 InterNetX GmbH
# Sebastian Wiesinger <sebastian.wiesinger@internetx.de>
# Carsten Schoene <carsten.schoene@internetx.de>
# $LastChangedDate$
# $Rev$
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the internetx firewall
### END INIT INFO
#
# chkconfig: 35 91 79
# description: Start the internetx firewall
#
################################################################
## Haupteinstellungen ##########################################
################################################################
# ACHTUNG! Anpassungen werden bei update überschrieben         #
# Firewall Anpassungen zwingend in                             #
# /etc/firewall.config bzw. /etc/firewall6.config vornehmen    #
################################################################

# Interface(s) extern
INET_IFACE="`ip -4 route show default | awk '{print $5}' || echo eth0`"

# Interface(s) intern 
# Diese Interfaces werden nicht gefiltert
INNER_IFACE=""

# Hat der Server oeffentliche oder private IPs?
# Syntax: IPTYPE="p/o" (p=privat, o=oeffentlich)
IP_TYPE="o"

# Loglevel, 4 = warning
LOG_LEVEL="4"

# Ist der Rechner ein Gateway?
# Ist nur von Belang wenn das Feature im Kernel aktiviert ist.
# Syntax: FORWARD="0/1 (1=ja, 0=nein)
# FORWARD_NET gibt die internen Netze an, welche geforwardet werden.
FORWARD="0"
FORWARD_NET="192.168.1.0/24"

# Syn-Cookies gegen Spoofing...
# Ist nur von Belang wenn das Feature im Kernel aktiviert ist.
# Syntax: SYN_COOKIES="0/1" (1=ja, 0=nein)
SYN_COOKIES="1"

RESOLVER_IPS="62.116.162.126 62.116.130.3 85.236.36.4"
################################################################
## Dienste #####################################################
################################################################
#
# Der Dienst kann jeweils an- oder abgeschaltet werden, die jeweiligen
# *_ALLOW Variablen regeln den Zugriff, 0/0 ist Zugriff fuer alle, ansonsten
# Notation als IP oder als Netzschreibweise (vorzugsweise CIDR)

DHCP_CLIENT="yes"

FTP="yes"
FTP_ALLOW="0/0"

SSH="yes"
SSH_ALLOW="62.116.129.3 62.116.161.144 85.236.33.12 85.236.36.66 85.236.36.11 85.236.36.71 85.236.36.72 85.236.36.73"

TELNET="no"
TELNET_ALLOW=""

SMTP="yes"
SMTP_ALLOW="0/0"

SMTPS="yes"
SMTPS_ALLOW="0/0"

SMTP_MSA="yes"
SMTP_MSA_ALLOW="0/0"

DNS="no"
DNS_ALLOW="0/0"

HTTP="yes"
HTTP_ALLOW="0/0"

POP3="yes"
POP3_ALLOW="0/0"

POP3S="yes"
POP3S_ALLOW="0/0"

IMAP="yes"
IMAP_ALLOW="0/0"

IMAPS="yes"
IMAPS_ALLOW="0/0"

HTTPS="yes"
HTTPS_ALLOW="0/0"

HTTP_PSA="yes"
HTTP_PSA_ALLOW="0/0"

HTTPS_PSA="yes"
HTTPS_PSA_ALLOW="0/0"

POPPASSWD="no"
POPPASSWD_ALLOW="0/0"

BACKUP="yes"
# Backup Server wird vom Script ermittelt, ueber /usr/knox/nlp/...
BACKUP_ALLOW="85.236.37.4"

MYSQL="yes"
MYSQL_ALLOW="0/0"

WEBMIN="no"
WEBMIN_ALLOW="0/0"

AUTODNS="yes"
AUTODNS_ALLOW="62.116.129.201"

SYSLOG="no"
SYSLOG_ALLOW="0/0"

TFTP="no"
TFTP_ALLOW="0/0"

# Zusaetzliche Ports fuer bestimmte IPs/Netze freigeben
# Syntax: ALLOW_TCP/UDP="<port>#<netz> <port>#<netz> ..."
# z.B.:   ALLOW_TCP="6667#10.11.0.0/16 6667#10.12.0.0/16 995#0/0"

ALLOW_TCP="51234#85.236.36.35 2222#0/0"
ALLOW_UDP=""

# Alle IPs/Netze die hier stehen duerfen immer auf alles zugreifen.
# Vorsicht, Sicherheitsgefahr!
ALLOW_HOST=""

# IPs/Netze komplett sperren

BLOCK_HOST=""

# Eingehende Verbindungen fuer bestimmte lokale IPs unterbinden, komplett
# oder per Port:
# Syntax: BLOCK_CONN_TCP/UDP="<port/*>#<ip> <port/*>#<ip> ..."
# z.B.: BLOCK_CONN_TCP/UDP="*#192.168.1.17 22#192.168.1.19"
BLOCK_CONN_TCP=""
BLOCK_CONN_UDP=""

# Achtung, geloggt wird _nach_ den erlaubten Verbindungen,
# d.h. es werden nur geblockte Verbindungen geloggt.
# Syntax: LOG_TCP/UDP="<port> <port> ..."
LOG_TCP=""
LOG_UDP=""

# Debug Log, es werden alle geblockten Pakete geloggt.

LOG_ALL="no"

# Groesse der ip_conntrack table
MAX_CONNTRACK="65536"

################################################################
## Ab hier keine User-Config. ##################################
## Nur aendern wenn wirklich noetig! ###########################
################################################################

if [ -f /etc/firewall.config ] ; then
 . /etc/firewall.config
fi

FW_START_MODE=$1
export FW_START_MODE
export ORG_PATH=$PATH
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"

function prep_wall () {

IPT_PRE=`which iptables`
IPT_VER=`${IPT_PRE} --version|awk '{print $2}'`
MAJOR=`echo ${IPT_VER} | awk -F. '{print $2}'`
MINOR=`echo ${IPT_VER} | awk -F. '{print $3}'`
if [ "${MAJOR}" -ge "4" ] && [ "${MAJOR}" -lt "5" ] ; then
        if [ "${MINOR}" -ge "22" ] ; then
                IPT_OPT=" -w 1"
        elif [ "${MINOR}" -ge "20" ] ; then
                IPT_OPT=" -w"
        else
                IPT_OPT=""
        fi
elif [ "${MAJOR}" -ge "5" ] ; then
        IPT_OPT=" -w 1"
else
        IPT_OPT=""
fi

IPT="`which iptables` ${IPT_OPT}"
#IPT="/bin/echo"
MP=`which modprobe`
#MP="/bin/echo"
SED=`which sed`

LOG_PREFIX="[IPTABLES DROP] : "

LO_IFACE="lo"
LO_IP="127.0.0.1"

MONITOR="62.116.129.35 62.116.129.5 62.116.129.7 62.116.129.6 62.116.129.3 85.236.33.9"
ALLOW_HOST="$ALLOW_HOST $MONITOR"

# Wie werden Pakete gedroppt?
DROP="DROPPER" # DROPPER ist eine Chain die gemaess RFCs blockt
DROP_TCP="REJECT --reject-with tcp-reset"
DROP_OTHER="REJECT"

if [ "$IP_TYPE" = "o" ] ; then
	BAD_EXT_IP="10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 191.255.0.0/16 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 224.0.0.0/4"
elif [ "$IP_TYPE" = "p" ] ; then
	BAD_EXT_IP=""
fi

START_POLICY="ACCEPT"
END_POLICY="DROP"

# Backup greppen :)
#
#if [ -d /usr/knox ] ; then
#	BA_BACKUP=""
#	BA_ADMIN=$(cat /usr/knox/nlp/admin.cfg)
#	BA_IP=$(grep "$(cat /usr/knox/nlp/admin.cfg)" /usr/knox/nlp/hosts.cfg | sed 's/\"\([0-9.]*\)\".*/\1/')
#	if [ -n "$BA_IP" ] ; then
#		BA_BACKUP="$BA_IP"
#	else
#		echo "$BA_ADMIN" | egrep "^[4-9.]*$" >/dev/null 2>&1
#		if [ $? -eq 0 ] ; then
#			BA_BACKUP="$BA_ADMIN"
#		fi
#	fi
#	if [ -z "$BA_BACKUP" ] ; then
#		BACKUP_ALLOW=""
#	else
#		BACKUP_ALLOW=$BA_BACKUP
#	fi
#else
#	BACKUP_ALLOW=""
#fi

# Module laden...
MODULES="ip_tables iptable_filter iptable_nat iptable_mangle ip_conntrack ip_conntrack_ftp xt_limit xt_state ipt_REJECT ipt_LOG"

if [ $FORWARD -eq 1 ] ; then
	MODULES="$MODULES ipt_MASQUERADE ip_nat_ftp"
fi

for modul in $MODULES ; do
	modul2=`echo ${modul} | sed -e s/^ip_/nf_/g`
	modul3=`echo ${modul} | sed -e s/^ipt_/xt_/g`
	if [ -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul}.o -o \
	     -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul}.ko* -o \
	     -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul}.ko* -o \
	     -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul2}.o -o \
	     -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul2}.ko* -o \
	     -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul2}.ko* -o \
	     -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul3}.o -o \
	     -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/${modul3}.ko* -o \
	     -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul3}.ko* ] ; then
		$MP $modul >/dev/null 2>&1
		$MP $modul2 >/dev/null 2>&1
		$MP $modul3 >/dev/null 2>&1
	else
		echo "Kernel-Modul $modul nicht gefunden. Wenn nicht benoetigt bitte aus der Modulliste entfernen. Firewall NICHT GESTARTET."
		if [ "$FW_START_MODE" = "start" ] ; then
			export PATH=$ORG_PATH
			exit 1
		fi
	fi
done

# Kernel Parameter setzen

# Forwarding
[ -w /proc/sys/net/ipv4/ip_forward ] && echo $FORWARD > /proc/sys/net/ipv4/ip_forward

# Syncookies
[ -w /proc/sys/net/ipv4/tcp_syncookies ] && echo $SYN_COOKIES > /proc/sys/net/ipv4/tcp_syncookies

# Groesse des Connection Trackers
[ -w /proc/sys/net/ipv4/ip_conntrack_max ] && echo $MAX_CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max
[ -w /proc/sys/net/nf_conntrack_max ] && echo $MAX_CONNTRACK > /proc/sys/net/nf_conntrack_max

# Start-Policies
$IPT -t filter -P INPUT $START_POLICY
$IPT -t filter -P OUTPUT $START_POLICY
$IPT -t filter -P FORWARD $START_POLICY

$IPT -t filter -F INPUT
$IPT -t filter -F OUTPUT
$IPT -t filter -F FORWARD

$IPT -t nat -F PREROUTING
$IPT -t nat -F OUTPUT
$IPT -t nat -F POSTROUTING

$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT

$IPT -t filter -F INETIN > /dev/null 2>&1
$IPT -t filter -X INETIN > /dev/null 2>&1
$IPT -t filter -N INETIN > /dev/null 2>&1

$IPT -t filter -F INETOUT > /dev/null 2>&1
$IPT -t filter -X INETOUT > /dev/null 2>&1
$IPT -t filter -N INETOUT > /dev/null 2>&1

$IPT -t filter -F UDPOUT > /dev/null 2>&1
$IPT -t filter -X UDPOUT > /dev/null 2>&1
$IPT -t filter -N UDPOUT > /dev/null 2>&1

$IPT -t filter -F $DROP > /dev/null 2>&1
$IPT -t filter -X $DROP > /dev/null 2>&1
$IPT -t filter -N $DROP > /dev/null 2>&1

export PATH=$ORG_PATH
}

# ENDE prep_wall



case "$1" in

# Installiert Runlevel-Links auf Debian
debian-install)
/usr/sbin/update-rc.d firewall start 36 0 6 . start 41 S .
export PATH=$ORG_PATH
exit 0
;;

# Installiert Runlevel-Links unter SuSE 7.3
suse7-install)
cd /etc/init.d
if [ ! -d rc2.d ] ; then
	echo "Init Directory not found."
	export PATH=$ORG_PATH
	exit 1
fi

cd rc2.d
ln -s ../firewall ./S06firewall
cd ../rc3.d
ln -s ../firewall ./S06firewall
cd ../rc5.d
ln -s ../firewall ./S06firewall
export PATH=$ORG_PATH
exit 0
;;

suse-install)
/sbin/chkconfig --add $0
exit 0
;;

redhat-install)
/sbin/chkconfig $0 on
exit 0
;;

stop)
echo -n "Stopping Firewall... "
prep_wall
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT

export PATH=$ORG_PATH
echo "done."
exit 0
;;

restart|reload|force-reload)
$0 stop && $0 start
export PATH=$ORG_PATH
exit 0
;;

start)
################################################################
## Firewall starten ############################################
################################################################
echo -n "Starting Firewall... "

prep_wall

for iface in $INET_IFACE ; do
	$IPT -t filter -A INPUT -i $iface -j INETIN
	$IPT -t filter -A OUTPUT -o $iface -j INETOUT
done

# IPs blocken die unmoeglich aus dem oeffentlichen Netz kommen koennen.
for ip in $BAD_EXT_IP; do
	$IPT -t filter -A INETIN -s $ip -j $DROP
	$IPT -t filter -A INETIN -d $ip -j $DROP
	$IPT -t filter -A INETOUT -d $ip -j $DROP
done

for iface in $INNER_IFACE ; do
	$IPT -t filter -A INPUT -i $iface -j ACCEPT
	$IPT -t filter -A OUTPUT -o $iface -j ACCEPT
done

if [ $FORWARD -eq 1 ] ; then
	for subnet in $FORWARD_NET ; do
		$IPT -t filter -A FORWARD -s $subnet -o $INET_IFACE -j INETOUT
		$IPT -t filter -A FORWARD -d $subnet -i $INET_IFACE -j INETIN
		$IPT -t filter -A FORWARD -s $subnet -o $INNER_IFACE -j ACCEPT
		$IPT -t filter -A FORWARD -d $subnet -i $INNER_IFACE -j ACCEPT
		$IPT -t nat -A POSTROUTING -s $subnet -o $INET_IFACE -j MASQUERADE
	done
fi

for loip in $LO_IP ; do
	$IPT -t filter -A INPUT -i $LO_IFACE -j ACCEPT
	$IPT -t filter -A OUTPUT -o $LO_IFACE -j ACCEPT
done

if [ "$LOG_ALL" = "yes" ] ; then
	$IPT -t filter -A $DROP -m limit --limit 1/s --limit-burst 5 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"

else
	for port in $LOG_TCP ; do
		$IPT -t filter -A $DROP -p tcp --dport $port  -m limit --limit 1/s --limit-burst 10 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"
	done

	for port in $LOG_UDP ; do
		$IPT -t filter -A $DROP -p udp --dport $port  -m limit --limit 1/s --limit-burst 10 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"
	done
fi

$IPT -t filter -A $DROP -d 255.255.255.255 -j DROP
$IPT -t filter -A $DROP -p tcp -m limit --limit 100/s --limit-burst 200 -j $DROP_TCP
$IPT -t filter -A $DROP -p udp -m limit --limit 100/s --limit-burst 200 -j $DROP_OTHER
$IPT -t filter -A $DROP -j DROP

# ICMP Traffic Policy
$IPT -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETIN -p icmp --icmp-type redirect -j $DROP
$IPT -t filter -A INETIN -p icmp ! --icmp-type echo-request -j ACCEPT


# Boese Hosts sperren
for host in $BLOCK_HOST ; do
        $IPT -t filter -A INETIN -s $host -j $DROP
        $IPT -t filter -A INETOUT -d $host -j $DROP
done

# Verwandte und bestehende Connections durchlassen...
$IPT -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Hosts die auf alles zugreifen duerfen..
for host in $ALLOW_HOST ; do
        $IPT -t filter -A INETIN -s $host -j ACCEPT
done

for pair in $BLOCK_CONN_TCP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	ip=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	if [ "$port" = "*" ] ; then
		$IPT -t filter -A INETIN -p tcp -d $ip  -m state --state NEW  -j $DROP
	else
		$IPT -t filter -A INETIN -p tcp -d $ip  --dport $port -m state --state NEW  -j $DROP
	fi
done

for pair in $BLOCK_CONN_UDP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	ip=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	if [ "$port" = "*" ] ; then
		$IPT -t filter -A INETIN -p udp -d $ip -j $DROP
	else
		$IPT -t filter -A INETIN -p udp -d $ip  --dport $port -j $DROP
	fi
done

# Zusaetzliche Ports fuer Netze freigeben
for pair in $ALLOW_TCP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	host=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	$IPT -t filter -A INETIN -p tcp -s $host --dport $port -m state --state NEW  -j ACCEPT
done

for pair in $ALLOW_UDP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	host=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	$IPT -t filter -A INETIN -p udp -s $host --dport $port -j ACCEPT
	$IPT -t filter -A INETOUT -p udp -d $host --sport $port -j ACCEPT
done

if [ "$DHCP_CLIENT" = "yes" ] ; then
	$IPT -t filter -A INETIN -p udp --dport 67:68 --sport 67:68 -j ACCEPT
	$IPT -t filter -A INETOUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
fi

if [ "$FTP" = "yes" ] ; then
	for host in $FTP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 21 -m state --state NEW -j ACCEPT
	done
	if [ -s /etc/proftpd.conf ] ; then
		PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
		if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd.d/passive_ports.conf ]  ; then
			PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.d/passive_ports.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
		fi
		if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd.d/55-passive-ports.conf ] ; then
			PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.d/55-passive-ports.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
		fi
		if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd/conf.d/*.conf ] ; then
			PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd/conf.d/*.conf | tail -n1 | sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
		fi
	elif [ -s /etc/vsftpd.conf ] ; then
		PASV_MIN=`grep ^pasv_min_port /etc/vsftpd.conf | sed -r 's/^pasv_min_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
		PASV_MAX=`grep ^pasv_max_port /etc/vsftpd.conf | sed -r 's/^pasv_max_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
		if [ -n "${PASV_MAX}" -a -n "${PASV_MIN}" ] ; then
			if [ "${PASV_MAX}" -gt "${PASV_MIN}" ] ; then
				PASSIVE_PORTS=${PASV_MIN}:${PASV_MAX}
			fi
		fi
	elif [ -s /etc/vsftpd/vsftpd.conf ] ; then
		PASV_MIN=`grep ^pasv_min_port /etc/vsftpd/vsftpd.conf | sed -r 's/^pasv_min_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
		PASV_MAX=`grep ^pasv_max_port /etc/vsftpd/vsftpd.conf | sed -r 's/^pasv_max_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
		if [ -n "${PASV_MAX}" -a -n "${PASV_MIN}" ] ; then
			if [ "${PASV_MAX}" -gt "${PASV_MIN}" ] ; then
				PASSIVE_PORTS=${PASV_MIN}:${PASV_MAX}
			fi
		fi
	elif [ -s /etc/pure-ftpd/pure-ftpd.conf ] ; then
		PASSIVE_PORTS=`grep ^PassivePortRange /etc/pure-ftpd/pure-ftpd.conf  |  sed  -r 's/PassivePortRange\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
	fi
	if [ -n "${PASSIVE_PORTS}" ] ; then
		$IPT -t filter -I INETIN -p tcp -s 0/0 --dport ${PASSIVE_PORTS} -j ACCEPT
	fi
fi

if [ "$SSH" = "yes" ] ; then
	for host in $SSH_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 22 -m state --state NEW -j ACCEPT
	done
fi

if [ "$TELNET" = "yes" ] ; then
	for host in $TELNET_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 23 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SMTP" = "yes" ] ; then
	for host in $SMTP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 25 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SMTPS" = "yes" ] ; then
        for host in $SMTPS_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 465 -m state --state NEW -j ACCEPT
        done
fi

if [ "$SMTP_MSA" = "yes" ] ; then
        for host in $SMTP_MSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 587 -m state --state NEW -j ACCEPT
        done
fi

if [ "$DNS" = "yes" ] ; then
	for host in $DNS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 53 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 53 -j ACCEPT
	done
fi

if [ "$HTTP" = "yes" ] ; then
	for host in $HTTP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 80 -m state --state NEW -j ACCEPT
	done
fi

if [ "$HTTPS" = "yes" ] ; then
	for host in $HTTPS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 443 -m state --state NEW -j ACCEPT
	done
fi

if [ "$HTTP_PSA" = "yes" ] ; then
        for host in $HTTP_PSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 8880 -m state --state NEW -j ACCEPT
        done
fi

if [ "$HTTPS_PSA" = "yes" ] ; then
        for host in $HTTPS_PSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 8443 -m state --state NEW -j ACCEPT
        done
fi


if [ "$POP3" = "yes" ] ; then
	for host in $POP3_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 110 -m state --state NEW -j ACCEPT
	done
fi

if [ "$POP3S" = "yes" ] ; then
        for host in $POP3S_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 995 -m state --state NEW -j ACCEPT
        done
fi

if [ "$POPPASSWD" = "yes" ] ; then
        for host in $POPPASSWD_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 106 -m state --state NEW -j ACCEPT
        done
fi

if [ "$IMAP" = "yes" ] ; then
	for host in $IMAP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 143 -m state --state NEW -j ACCEPT
	done
fi

if [ "$IMAPS" = "yes" ] ; then
        for host in $IMAPS_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 993 -m state --state NEW -j ACCEPT
        done
fi


if [ "$BACKUP" = "yes" ] ; then
	for host in $BACKUP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10080 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 10080 -j ACCEPT
	done
fi

if [ "$MYSQL" = "yes" ] ; then
	for host in $MYSQL_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 3306 -m state --state NEW -j ACCEPT
	done
fi

if [ "$WEBMIN" = "yes" ] ; then
	for host in $WEBMIN_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10000 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 10000 -j ACCEPT
	done
fi

if [ "$AUTODNS" = "yes" ] ; then
	for host in $AUTODNS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10001 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SYSLOG" = "yes" ] ; then
	for host in $SYSLOG_ALLOW ; do
		$IPT -t filter -A INETIN -p udp -s $host --dport 514 -j ACCEPT
	done
fi

if [ "$TFTP" = "yes" ] ; then
	for host in $TFTP_ALLOW ; do
		$IPT -t filter -A INETIN -p udp -s $host --dport 69 -j ACCEPT
		$IPT -t filter -A INETOUT -p udp -d $host --sport 69 -j ACCEPT
	done
fi

## HOST OBJECT RULES

if [ -f /etc/init.d/firewall.custom ] ; then
 echo "/etc/init.d/firewall.custom is deprecated, please move to /etc/firewall.custom"
 . /etc/init.d/firewall.custom
fi
if [ -f /etc/firewall.custom ] ; then
 . /etc/firewall.custom
fi

$IPT -t filter -A INETIN -j $DROP

$IPT -t filter -A INETOUT -p udp -m multiport --dports 53,123 -j UDPOUT
if [ "$DNS" = "yes" ] ; then
        RESOLVER_IPS="$RESOLVER_IPS $DNS_ALLOW"
        $IPT -t filter -A INETOUT -p udp --dport 1024:65535 -j ACCEPT
fi
for IP in ${RESOLVER_IPS} ; do
	$IPT -t filter -A UDPOUT -d ${IP} -j ACCEPT
done
$IPT -t filter -A INETOUT -p udp -j $DROP

$IPT -t filter -A INETOUT -j ACCEPT

$IPT -t filter -A INPUT -j $DROP
$IPT -t filter -P INPUT $END_POLICY

$IPT -t filter -A OUTPUT -j $DROP
$IPT -t filter -P OUTPUT $END_POLICY

$IPT -t filter -A FORWARD -j $DROP
$IPT -t filter -P FORWARD $END_POLICY

echo "done."
################################################################
## Firewall ist gestartet. #####################################
################################################################
export PATH=$ORG_PATH
exit 0
;;


*)
echo "Usage: /etc/init.d/firewall {start|stop|reload|force-reload|restart|debian-install|suse7-install|suse-install|redhat-install}"
export PATH=$ORG_PATH
exit 1
;;

esac
export PATH=$ORG_PATH
exit 0
