#!/usr/bin/bash
# Firewall Script (C) 2003 InterNetX GmbH
# Sebastian Wiesinger <sebastian.wiesinger@internetx.de>
# Carsten Schoene <carsten.schoene@internetx.de>
# $LastChangedDate: 2012-06-26 12:26:08 +0200 (Di, 26. Jun 2012) $
# $Rev: 1470 $
### BEGIN INIT INFO
# Provides: firewall6
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the internetx firewall6
### END INIT INFO
#
# chkconfig: 35 91 79
# description: Start the internetx firewall6
#
################################################################
## Haupteinstellungen ##########################################
################################################################
# ACHTUNG! Anpassungen werden bei update überschrieben         #
# Firewall Anpassungen zwingend in                             #
# /etc/firewall.config bzw. /etc/firewall6.config vornehmen    #
################################################################

# Interface(s) extern
INET_IFACE="`ip -4 route show default | awk '{print $5}' || echo eth0`"

# Interface(s) intern 
# Diese Interfaces werden nicht gefiltert
INNER_IFACE=""

# Loglevel, 4 = warning
LOG_LEVEL="4"

# Ist der Rechner ein Gateway?
# Ist nur von Belang wenn das Feature im Kernel aktiviert ist.
# Syntax: FORWARD="0/1 (1=ja, 0=nein)
# FORWARD_NET gibt die internen Netze an, welche geforwardet werden.
FORWARD="0"
FORWARD_NET=""

RESOLVER_IPS="2001:4178:2:13:62:116:162:126 2001:4178:2:13::126 2001:4178:2:14::126 2001:4178:2:10::6 2001:4178:2:10::7 2a01:440:12:0:46:253:114:114 2a01:440:12::114"
################################################################
## Dienste #####################################################
################################################################
#
# Der Dienst kann jeweils an- oder abgeschaltet werden, die jeweiligen
# *_ALLOW Variablen regeln den Zugriff, ::/0 ist Zugriff fuer alle, ansonsten
# Notation als IP oder als Netzschreibweise (vorzugsweise CIDR)

DHCP_CLIENT="yes"

FTP="yes"
FTP_ALLOW="::/0"

SSH="yes"
SSH_ALLOW="2001:4178:2:2::/64 2001:4178:2:74::/64 2001:4178:2:13::144 2001:4178:2:2::b00b 2001:4178:2:10:85:236:36:11 2001:4178:2:10:85:236:36:68 2001:4178:2:10:85:236:36:71 2001:4178:2:10:85:236:36:72 2001:4178:2:10:85:236:36:73"

TELNET="no"
TELNET_ALLOW=""

SMTP="yes"
SMTP_ALLOW="::/0"

SMTPS="yes"
SMTPS_ALLOW="::/0"

SMTP_MSA="yes"
SMTP_MSA_ALLOW="::/0"

DNS="no"
DNS_ALLOW="::/0"

HTTP="yes"
HTTP_ALLOW="::/0"

POP3="yes"
POP3_ALLOW="::/0"

POP3S="yes"
POP3S_ALLOW="::/0"

IMAP="yes"
IMAP_ALLOW="::/0"

IMAPS="yes"
IMAPS_ALLOW="::/0"

HTTPS="yes"
HTTPS_ALLOW="::/0"

HTTP_PSA="yes"
HTTP_PSA_ALLOW="::/0"

HTTPS_PSA="yes"
HTTPS_PSA_ALLOW="::/0"

POPPASSWD="no"
POPPASSWD_ALLOW="::/0"

BACKUP="no"
BACKUP_ALLOW=""

MYSQL="yes"
MYSQL_ALLOW="::/0"

WEBMIN="no"
WEBMIN_ALLOW="::/0"

AUTODNS="no"
AUTODNS_ALLOW=""

SYSLOG="no"
SYSLOG_ALLOW="::/0"

TFTP="no"
TFTP_ALLOW="::/0"

# Zusaetzliche Ports fuer bestimmte IPs/Netze freigeben
# Syntax: ALLOW_TCP/UDP="<port>#<netz> <port>#<netz> ..."
# z.B.:   ALLOW_TCP="6667#2001:4178::/32 6667#2001:4178:2:2::/64 995#::/0"

ALLOW_TCP="2222#::/0"
ALLOW_UDP=""

# Alle IPs/Netze die hier stehen duerfen immer auf alles zugreifen.
# Vorsicht, Sicherheitsgefahr!
# ff02::12 = vrrp ipv6 multicast
ALLOW_HOST=""

# IPs/Netze komplett sperren
# 2002::/16 = 6to4
BLOCK_HOST="2002::/16"

# Eingehende Verbindungen fuer bestimmte lokale IPs unterbinden, komplett
# oder per Port:
# Syntax: BLOCK_CONN_TCP/UDP="<port/*>#<ip> <port/*>#<ip> ..."
# z.B.: BLOCK_CONN_TCP/UDP="*#2001:4178:99::1 22#2001:4718:100::17"
BLOCK_CONN_TCP=""
BLOCK_CONN_UDP=""

# Achtung, geloggt wird _nach_ den erlaubten Verbindungen,
# d.h. es werden nur geblockte Verbindungen geloggt.
# Syntax: LOG_TCP/UDP="<port> <port> ..."
LOG_TCP=""
LOG_UDP=""

# Debug Log, es werden alle geblockten Pakete geloggt.

LOG_ALL="no"

# Groesse der ip_conntrack table
MAX_CONNTRACK="1500000"

################################################################
## Ab hier keine User-Config. ##################################
## Nur aendern wenn wirklich noetig! ###########################
################################################################

if [ -f /etc/firewall6.config ] ; then
 . /etc/firewall6.config
fi

FW_START_MODE=$1
export FW_START_MODE
export ORG_PATH=$PATH
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"

function prep_wall () {

IPT_PRE=`which ip6tables`
IPT_VER=`${IPT_PRE} --version|awk '{print $2}'`
MAJOR=`echo ${IPT_VER} | awk -F. '{print $2}'`
MINOR=`echo ${IPT_VER} | awk -F. '{print $3}'`
if [ "${MAJOR}" -ge "4" ] && [ "${MAJOR}" -lt "5" ] ; then
        if [ "${MINOR}" -ge "22" ] ; then
                IPT_OPT=" -w 1"
        elif [ "${MINOR}" -ge "20" ] ; then
                IPT_OPT=" -w"
        else
                IPT_OPT=""
        fi
elif [ "${MAJOR}" -ge "5" ] ; then
        IPT_OPT=" -w 1"
else
        IPT_OPT=""
fi

IPT="`which ip6tables` ${IPT_OPT}"
#IPT="/bin/echo"
MP=`which modprobe`
#MP="/bin/echo"
SED=`which sed`

LOG_PREFIX="[IP6TABLES DROP] : "

LO_IFACE="lo"
LO_IP="::1"

MONITOR="2001:4178:3:2:85:236:33:9 2001:4178:3:a002::/64"
ALLOW_HOST="$ALLOW_HOST $MONITOR"

# Wie werden Pakete gedroppt?
DROP="DROPPER6" # DROPPER ist eine Chain die gemaess RFCs blockt
DROP_TCP="REJECT --reject-with tcp-reset"
DROP_OTHER="REJECT"

START_POLICY="ACCEPT"
END_POLICY="DROP"

# Module laden...
MODULES="ip6_tables ip6table_filter ip6table_mangle xt_limit xt_state ip6t_REJECT ip6t_LOG"
#NOTE: 4.19 kernel merged nf_conntrack_ipv{4,6} into nf_conntrack
KVER=`uname -r | sed -r 's/([0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2})-.*/\1/'`
KMAJ=`echo ${KVER} | awk -F. '{print $1}'`
KMIN=`echo ${KVER} | awk -F. '{print $2}'`
KREL=`echo ${KVER} | awk -F. '{print $3}'`
if [ "${KMAJ}" -ge "4" ] ; then
	if [ "${KMIN}" -ge "18" ] ; then
		MODULES="${MODULES} nf_conntrack"
        elif [ "${KMAJ}" -gt "4" ] ; then
                MODULES="${MODULES} nf_conntrack"
	else
		MODULES="${MODULES} nf_conntrack_ipv6"
	fi
else
	MODULES="${MODULES} nf_conntrack_ipv6"
fi

for modul in $MODULES ; do
        modul2=`echo ${modul} | sed -e s/^ip_/nf_/g`
        modul3=`echo ${modul} | sed -e s/^ipt_/xt_/g | sed -e s/^ip6t_/xt_/g`
        if [ -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul}.o -o \
             -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul}.ko* -o \
             -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul}.ko* -o \
             -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul2}.o -o \
             -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul2}.ko* -o \
             -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul2}.ko* -o \
             -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul3}.o -o \
             -e /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/${modul3}.ko* -o \
             -e /lib/modules/$(uname -r)/kernel/net/netfilter/${modul3}.ko* ] ; then
                $MP $modul >/dev/null 2>&1
                $MP $modul2 >/dev/null 2>&1
                $MP $modul3 >/dev/null 2>&1
	else
		echo "Kernel-Modul $modul nicht gefunden. Wenn nicht benoetigt bitte aus der Modulliste entfernen. Firewall NICHT GESTARTET."
		if [ "$FW_START_MODE" = "start" ] ; then
			export PATH=$ORG_PATH
			exit 1
		fi
	fi
done

# Kernel Parameter setzen

# Forwarding
[ -w /proc/sys/net/ipv6/conf/default/forwarding ] && echo $FORWARD > /proc/sys/net/ipv6/conf/default/forwarding

# Groesse des Connection Trackers
[ -w /proc/sys/net/nf_conntrack_max ] && echo $MAX_CONNTRACK > /proc/sys/net/nf_conntrack_max

# Start-Policies
$IPT -t filter -P INPUT $START_POLICY
$IPT -t filter -P OUTPUT $START_POLICY
$IPT -t filter -P FORWARD $START_POLICY

$IPT -t filter -F INPUT
$IPT -t filter -F OUTPUT
$IPT -t filter -F FORWARD

$IPT -t mangle -F PREROUTING
$IPT -t mangle -F OUTPUT

$IPT -t filter -F INETIN > /dev/null 2>&1
$IPT -t filter -X INETIN > /dev/null 2>&1
$IPT -t filter -N INETIN > /dev/null 2>&1

$IPT -t filter -F INETOUT > /dev/null 2>&1
$IPT -t filter -X INETOUT > /dev/null 2>&1
$IPT -t filter -N INETOUT > /dev/null 2>&1

$IPT -t filter -F UDPOUT > /dev/null 2>&1
$IPT -t filter -X UDPOUT > /dev/null 2>&1
$IPT -t filter -N UDPOUT > /dev/null 2>&1

$IPT -t filter -F $DROP > /dev/null 2>&1
$IPT -t filter -X $DROP > /dev/null 2>&1
$IPT -t filter -N $DROP > /dev/null 2>&1

export PATH=$ORG_PATH
}

# ENDE prep_wall



case "$1" in

# Installiert Runlevel-Links auf Debian
debian-install)
/usr/sbin/update-rc.d firewall6 start 36 0 6 . start 41 S .
export PATH=$ORG_PATH
exit 0
;;

# Installiert Runlevel-Links unter SuSE 7.3
suse-install)
cd /etc/init.d
if [ ! -d rc2.d ] ; then
	echo "Init Directory not found."
	export PATH=$ORG_PATH
	exit 1
fi

cd rc2.d
ln -s ../firewall6 ./S06firewall6
cd ../rc3.d
ln -s ../firewall6 ./S06firewall6
cd ../rc5.d
ln -s ../firewall6 ./S06firewall6
export PATH=$ORG_PATH
exit 0
;;

stop)
echo -n "Stopping Firewall6... "
prep_wall
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT

export PATH=$ORG_PATH
echo "done."
exit 0
;;

restart|reload|force-reload)
$0 stop && $0 start
export PATH=$ORG_PATH
exit 0
;;

start)
################################################################
## Firewall starten ############################################
################################################################
echo -n "Starting Firewall6... "

prep_wall

for iface in $INET_IFACE ; do
	$IPT -t filter -A INPUT -i $iface -j INETIN
	$IPT -t filter -A OUTPUT -o $iface -j INETOUT
done

# IPs blocken die unmoeglich aus dem oeffentlichen Netz kommen koennen.
for ip in $BAD_EXT_IP; do
	$IPT -t filter -A INETIN -s $ip -j $DROP
	$IPT -t filter -A INETIN -d $ip -j $DROP
	$IPT -t filter -A INETOUT -d $ip -j $DROP
done

for iface in $INNER_IFACE ; do
	$IPT -t filter -A INPUT -i $iface -j ACCEPT
	$IPT -t filter -A OUTPUT -o $iface -j ACCEPT
done

if [ $FORWARD -eq 1 ] ; then
	# RFC 4890
	for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 128 129 130 131 132 133 141 142 143 148 149 151 152 153
	do
		$IPT -A FORWARD -p icmpv6 --icmpv6-type $icmptype -j ACCEPT
	done
fi

for iface in $INNER_IFACE ; do
    if [ $FORWARD -eq 1 ] ; then
        for subnet in $FORWARD_NET ; do
		for eface in $INET_IFACE ; do
	                $IPT -t filter -A FORWARD -s $subnet -o $eface -j INETOUT
        	        $IPT -t filter -A FORWARD -d $subnet -i $eface -j INETIN
		done
                $IPT -t filter -A FORWARD -s $subnet -o $iface -j ACCEPT
                $IPT -t filter -A FORWARD -d $subnet -i $iface -j ACCEPT
        done
     fi
done

for loip in $LO_IP ; do
	$IPT -t filter -A INPUT -i $LO_IFACE -j ACCEPT
	$IPT -t filter -A OUTPUT -o $LO_IFACE -j ACCEPT
done

if [ "$LOG_ALL" = "yes" ] ; then
	$IPT -t filter -A $DROP -m limit --limit 1/s --limit-burst 5 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"

else
	for port in $LOG_TCP ; do
		$IPT -t filter -A $DROP -p tcp --dport $port  -m limit --limit 1/s --limit-burst 10 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"
	done

	for port in $LOG_UDP ; do
		$IPT -t filter -A $DROP -p udp --dport $port  -m limit --limit 1/s --limit-burst 10 -j LOG --log-level $LOG_LEVEL --log-prefix "$LOG_PREFIX"
	done
fi

$IPT -t filter -A $DROP -p tcp -m limit --limit 100/s --limit-burst 200 -j $DROP_TCP
$IPT -t filter -A $DROP -p udp -m limit --limit 100/s --limit-burst 200 -j $DROP_OTHER
$IPT -t filter -A $DROP -j DROP

# ICMP Traffic Policy
$IPT -t filter -A INETIN -p icmpv6 --icmpv6-type 128 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETIN -p icmpv6 --icmpv6-type 129 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETIN -p icmpv6 --icmpv6-type 135 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETIN -p icmpv6 --icmpv6-type 136 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETOUT -p icmpv6 --icmpv6-type 128 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETOUT -p icmpv6 --icmpv6-type 129 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETOUT -p icmpv6 --icmpv6-type 135 -m limit --limit 10/s -j ACCEPT
$IPT -t filter -A INETOUT -p icmpv6 --icmpv6-type 136 -m limit --limit 10/s -j ACCEPT


# Boese Hosts sperren
for host in $BLOCK_HOST ; do
        $IPT -t filter -A INETIN -s $host -j $DROP
        $IPT -t filter -A INETOUT -d $host -j $DROP
done

# Verwandte und bestehende Connections durchlassen...
$IPT -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Hosts die auf alles zugreifen duerfen..
for host in $ALLOW_HOST ; do
        $IPT -t filter -A INETIN -s $host -j ACCEPT
done

for pair in $BLOCK_CONN_TCP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	ip=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	if [ "$port" = "*" ] ; then
		$IPT -t filter -A INETIN -p tcp -d $ip  -m state --state NEW  -j $DROP
	else
		$IPT -t filter -A INETIN -p tcp -d $ip  --dport $port -m state --state NEW  -j $DROP
	fi
done

for pair in $BLOCK_CONN_UDP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	ip=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	if [ "$port" = "*" ] ; then
		$IPT -t filter -A INETIN -p udp -d $ip -j $DROP
	else
		$IPT -t filter -A INETIN -p udp -d $ip  --dport $port -j $DROP
	fi
done

# Zusaetzliche Ports fuer Netze freigeben
for pair in $ALLOW_TCP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	host=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	$IPT -t filter -A INETIN -p tcp -s $host --dport $port -m state --state NEW  -j ACCEPT
done

for pair in $ALLOW_UDP ; do
	port=`echo $pair | $SED -e 's/^\([^#]\+\)#.*$/\1/'`
	host=`echo $pair | $SED -e 's/^[^#]\+#\(.*\)$/\1/'`
	$IPT -t filter -A INETIN -p udp -s $host --dport $port -j ACCEPT
	$IPT -t filter -A INETOUT -p udp -d $host --sport $port -j ACCEPT
done

if [ "$DHCP_CLIENT" = "yes" ] ; then
	$IPT -t filter -A INETIN -p udp -d fe80::/10 --dport 546:547 --sport 546:547 -j ACCEPT
	$IPT -t filter -A INETOUT -p udp -s fe80::/10 --dport 546:547 --sport 546:547 -j ACCEPT
fi

if [ "$FTP" = "yes" ] ; then
        for host in $FTP_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 21 -m state --state NEW -j ACCEPT
        done
        if [ -s /etc/proftpd.conf ] ; then
                PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
                if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd.d/passive_ports.conf ]  ; then
                        PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.d/passive_ports.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
                fi
                if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd.d/55-passive-ports.conf ] ; then
                        PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd.d/55-passive-ports.conf |  sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
                fi
		if [ -z "${PASSIVE_PORTS}" ] && [ -s /etc/proftpd/conf.d/*.conf ] ; then
                        PASSIVE_PORTS=`grep ^PassivePorts /etc/proftpd/conf.d/*.conf | tail -n1 | sed  -r 's/PassivePorts\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
                fi
        elif [ -s /etc/vsftpd.conf ] ; then
                PASV_MIN=`grep ^pasv_min_port /etc/vsftpd.conf | sed -r 's/^pasv_min_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
                PASV_MAX=`grep ^pasv_max_port /etc/vsftpd.conf | sed -r 's/^pasv_max_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
                if [ -n "${PASV_MAX}" -a -n "${PASV_MIN}" ] ; then
                        if [ "${PASV_MAX}" -gt "${PASV_MIN}" ] ; then
                                PASSIVE_PORTS=${PASV_MIN}:${PASV_MAX}
                        fi
                fi
        elif [ -s /etc/vsftpd/vsftpd.conf ] ; then
                PASV_MIN=`grep ^pasv_min_port /etc/vsftpd/vsftpd.conf | sed -r 's/^pasv_min_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
                PASV_MAX=`grep ^pasv_max_port /etc/vsftpd/vsftpd.conf | sed -r 's/^pasv_max_port\s+?=\s+?([1-9][0-9]{1,4}?)/\1/'`
                if [ -n "${PASV_MAX}" -a -n "${PASV_MIN}" ] ; then
                        if [ "${PASV_MAX}" -gt "${PASV_MIN}" ] ; then
                                PASSIVE_PORTS=${PASV_MIN}:${PASV_MAX}
                        fi
                fi
        elif [ -s /etc/pure-ftpd/pure-ftpd.conf ] ; then
                PASSIVE_PORTS=`grep ^PassivePortRange /etc/pure-ftpd/pure-ftpd.conf  |  sed  -r 's/PassivePortRange\s+([1-9][0-9]{1,4}?+\s[1-9][0-9]{1,4}?+).*/\1/' | sed -e s/" "/":"/`
        fi
        if [ -n "${PASSIVE_PORTS}" ] ; then
                $IPT -t filter -I INETIN -p tcp -s 0/0 --dport ${PASSIVE_PORTS} -j ACCEPT
        fi
fi

if [ "$SSH" = "yes" ] ; then
	for host in $SSH_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 22 -m state --state NEW -j ACCEPT
	done
fi

if [ "$TELNET" = "yes" ] ; then
	for host in $TELNET_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 23 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SMTP" = "yes" ] ; then
	for host in $SMTP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 25 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SMTPS" = "yes" ] ; then
        for host in $SMTPS_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 465 -m state --state NEW -j ACCEPT
        done
fi

if [ "$SMTP_MSA" = "yes" ] ; then
        for host in $SMTP_MSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 587 -m state --state NEW -j ACCEPT
        done
fi

if [ "$DNS" = "yes" ] ; then
	for host in $DNS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 53 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 53 -j ACCEPT
	done
fi

if [ "$HTTP" = "yes" ] ; then
	for host in $HTTP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 80 -m state --state NEW -j ACCEPT
	done
fi

if [ "$HTTPS" = "yes" ] ; then
	for host in $HTTPS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 443 -m state --state NEW -j ACCEPT
	done
fi

if [ "$HTTP_PSA" = "yes" ] ; then
        for host in $HTTP_PSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 8880 -m state --state NEW -j ACCEPT
        done
fi

if [ "$HTTPS_PSA" = "yes" ] ; then
        for host in $HTTPS_PSA_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 8443 -m state --state NEW -j ACCEPT
        done
fi

if [ "$POP3" = "yes" ] ; then
	for host in $POP3_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 110 -m state --state NEW -j ACCEPT
	done
fi

if [ "$POP3S" = "yes" ] ; then
        for host in $POP3S_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 995 -m state --state NEW -j ACCEPT
        done
fi

if [ "$POPPASSWD" = "yes" ] ; then
        for host in $POPPASSWD_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 106 -m state --state NEW -j ACCEPT
        done
fi

if [ "$IMAP" = "yes" ] ; then
	for host in $IMAP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 143 -m state --state NEW -j ACCEPT
	done
fi

if [ "$IMAPS" = "yes" ] ; then
        for host in $IMAPS_ALLOW ; do
                $IPT -t filter -A INETIN -p tcp -s $host --dport 993 -m state --state NEW -j ACCEPT
        done
fi

if [ "$BACKUP" = "yes" ] ; then
	for host in $BACKUP_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10080 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 10080 -j ACCEPT
	done
fi

if [ "$MYSQL" = "yes" ] ; then
	for host in $MYSQL_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 3306 -m state --state NEW -j ACCEPT
	done
fi

if [ "$WEBMIN" = "yes" ] ; then
	for host in $WEBMIN_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10000 -m state --state NEW -j ACCEPT
		$IPT -t filter -A INETIN -p udp -s $host --dport 10000 -j ACCEPT
	done
fi

if [ "$AUTODNS" = "yes" ] ; then
	for host in $AUTODNS_ALLOW ; do
		$IPT -t filter -A INETIN -p tcp -s $host --dport 10001 -m state --state NEW -j ACCEPT
	done
fi

if [ "$SYSLOG" = "yes" ] ; then
	for host in $SYSLOG_ALLOW ; do
		$IPT -t filter -A INETIN -p udp -s $host --dport 514 -j ACCEPT
	done
fi

if [ "$TFTP" = "yes" ] ; then
	for host in $TFTP_ALLOW ; do
		$IPT -t filter -A INETIN -p udp -s $host --dport 69 -j ACCEPT
		$IPT -t filter -A INETOUT -p udp -d $host --sport 69 -j ACCEPT
	done
fi

## HOST OBJECT RULES

if [ -f /etc/init.d/firewall6.custom ] ; then
 echo "/etc/init.d/firewall6.custom is deprecated, please move to /etc/firewall6.custom"
 . /etc/init.d/firewall6.custom
fi
if [ -f /etc/firewall6.custom ] ; then
 . /etc/firewall6.custom
fi

$IPT -t filter -A INETIN -j $DROP
$IPT -t filter -A INETOUT -p udp -m multiport --dports 53,123 -j UDPOUT
if [ "$DNS" = "yes" ] ; then
        RESOLVER_IPS="$RESOLVER_IPS $DNS_ALLOW"
        $IPT -t filter -A INETOUT -p udp --dport 1024:65535 -j ACCEPT
fi
for IP in ${RESOLVER_IPS} ; do
        $IPT -t filter -A UDPOUT -d ${IP} -j ACCEPT
done
$IPT -t filter -A INETOUT -p udp -j $DROP
$IPT -t filter -A INETOUT -j ACCEPT

$IPT -t filter -A INPUT -j $DROP
$IPT -t filter -P INPUT $END_POLICY

$IPT -t filter -A OUTPUT -j $DROP
$IPT -t filter -P OUTPUT $END_POLICY

$IPT -t filter -A FORWARD -j $DROP
$IPT -t filter -P FORWARD $END_POLICY

echo "done."
################################################################
## Firewall ist gestartet. #####################################
################################################################
export PATH=$ORG_PATH
exit 0
;;


*)
echo "Usage: /etc/init.d/firewall6 {start|stop|reload|force-reload|restart}"
export PATH=$ORG_PATH
exit 1
;;

esac
export PATH=$ORG_PATH
exit 0
