path: root/core/scripts/iptables.sh

           
 
#!/bin/bash

source /etc/iptables/iptables-conf.sh

iptables_clear () {
    echo "clear all iptables tables"

    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F
    iptables -t raw -X
    iptables -t security -F
    iptables -t security -X
    iptables -N blocker

    iptables -N srv_dhcp
    iptables -N srv_rip
    iptables -N srv_icmp
    iptables -N srv_dns_in
    iptables -N srv_dns_out
    iptables -N srv_http_in
    iptables -N srv_http_out
    iptables -N srv_https_in
    iptables -N srv_https_out
    iptables -N srv_ssh_in
    iptables -N srv_ssh_out
    iptables -N srv_git_in
    iptables -N srv_git_out
    iptables -N srv_db_in
    iptables -N srv_db_out


    iptables -N cli_dns_in
    iptables -N cli_dns_out
    iptables -N cli_http_in
    iptables -N cli_http_out
    iptables -N cli_https_in
    iptables -N cli_https_out
    iptables -N cli_ssh_in
    iptables -N cli_ssh_out
    iptables -N cli_pops_in
    iptables -N cli_pops_out
    iptables -N cli_smtps_in
    iptables -N cli_smtps_out
    iptables -N cli_irc_in
    iptables -N cli_irc_out
    iptables -N cli_ftp_in
    iptables -N cli_ftp_out
    iptables -N cli_git_in
    iptables -N cli_git_out
    iptables -N cli_gpg_in
    iptables -N cli_gpg_out

    # Set Default Rules
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
}

iptables_log () {
    ## log everything else and drop
    $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
    $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
    $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
}


iptables_tables () {
    echo "start adding tables..."

    ####### blocker Chain  ######
    ## Block google dns
    $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
    $IPT -A blocker -s 8.8.0.0/24 -j DROP
    ## Block sync
    $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
    $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
    ## Block Fragments
    $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
    $IPT -A blocker -f -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
    $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
    $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    ## Return to caller
    $IPT -A blocker -j RETURN

    ######## DNS Server
    #echo "server_in chain: Allow input to DNS Server"
    $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_in -j RETURN
    #echo "srv_dns_out chain: Allow output from DNS server"
    $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_out -j RETURN

    ####### Database Server
    $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_db_in -j RETURN
    $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A srv_db_out -j RETURN

    ####### SSH Server

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
        --update --seconds 60 --hitcount 4 --rttl \
        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
        --hitcount 4 --rttl --name SSH -j DROP

    $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

    $IPT -A srv_ssh_in -j RETURN
    $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A srv_ssh_out -j RETURN

    ####### HTTP Server
    $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_http_in -j RETURN
    $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_http_out -j RETURN

    ####### HTTPS Server
    $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_https_in -j RETURN
    $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_https_out -j RETURN

    ###### GIT server
    $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_git_in -j RETURN
    $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_git_out -j RETURN

    ######## DNS Client
    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_dns_out -j RETURN
    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_dns_in -j RETURN

    ######## HTTP Client
    #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP

    $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_http_in -j RETURN
    $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_http_out -j RETURN

    ######## IRC client
    $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_irc_in -j RETURN
    $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_irc_out -j RETURN

    ######## FTP client

    $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ftp_in -j RETURN
    $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ftp_out -j RETURN
    ######## GIT client
    $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_git_in -j RETURN
    $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_git_out -j RETURN

    ######## POP3S client
    $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_pops_in -j RETURN
    $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_pops_out -j RETURN

    ######## SMTPS client
    $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_smtps_in -j RETURN
    $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_smtps_out -j RETURN

    ######## HTTPS client
    $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_https_in -j RETURN
    $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_https_out -j RETURN

    ######## SSH client
    $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_in -j RETURN
    $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_out -j RETURN

    ######## GPG key client
    $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_gpg_in -j RETURN
    $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_gpg_out -j RETURN

    ######## DHCP Server
    $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
    $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
    $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
    $IPT -A srv_dhcp -j RETURN

    ####### RIP Server
    $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
    $IPT -A srv_rip -j RETURN

    ####### ICMP Server
    $IPT -A srv_icmp -p icmp -j ACCEPT
    $IPT -A srv_icmp -j RETURN
}

case $TYPE in
    bridge)
        iptables_clear
        iptables_tables

        echo "setting bridge network..."
        echo 1 > /proc/sys/net/ipv4/ip_forward

        # Unlimited on loopback
        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

        ####### NAT Prerouting Chain  ######

        ####### Forward Chain  ######
        $IPT -A FORWARD -j blocker
        $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        # Tap1 and Tap3 can access external http
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out

        ####### Forward TAP2 ssh, http and https  ######
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
        #
        #        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
        #
        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp

        # Tap1, Tap2 and Tap3 can access external https
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in

        #Less noise
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP

        ####### Input Chain ######
        $IPT -A INPUT -j blocker
        #Less noise
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP

        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in

        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp
        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp

        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp

        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in

        ####### Output Chain ######
        $IPT -A OUTPUT -j blocker

        #Less noise
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out

        ####### PostRouting Chain ######
        #Less noise
        #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT

        #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE

        ## log everything else and drop
        iptables_log

        #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
        # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "

        iptables-save > /etc/iptables/net.v4
        exit 0
        ;;

    server)
        iptables_clear
        iptables_tables

        echo "setting server network..."

        # Unlimited on loopback
        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

        ####### Input Chain ######
        $IPT -A INPUT -j blocker

	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
        #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in


	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in

        ####### Output Chain ######
        $IPT -A OUTPUT -j blocker

	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
	#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out

	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out

        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out

        ## log everything else and drop
        iptables_log

        iptables-save > /etc/iptables/net.v4
        exit 0

        ;;
    *)

        echo "usage: $0 [start|stop|restart]"
        ;;
esac
#!/bin/bash

source /etc/iptables/iptables-conf.sh

iptables_clear () {
    echo "clear all iptables tables"

    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F
    iptables -t raw -X
    iptables -t security -F
    iptables -t security -X
    iptables -N blocker

    iptables -N srv_dhcp
    iptables -N srv_rip
    iptables -N srv_icmp
    iptables -N srv_dns_in
    iptables -N srv_dns_out
    iptables -N srv_http_in
    iptables -N srv_http_out
    iptables -N srv_https_in
    iptables -N srv_https_out
    iptables -N srv_ssh_in
    iptables -N srv_ssh_out
    iptables -N srv_git_in
    iptables -N srv_git_out
    iptables -N srv_db_in
    iptables -N srv_db_out


    iptables -N cli_dns_in
    iptables -N cli_dns_out
    iptables -N cli_http_in
    iptables -N cli_http_out
    iptables -N cli_https_in
    iptables -N cli_https_out
    iptables -N cli_ssh_in
    iptables -N cli_ssh_out
    iptables -N cli_pops_in
    iptables -N cli_pops_out
    iptables -N cli_smtps_in
    iptables -N cli_smtps_out
    iptables -N cli_irc_in
    iptables -N cli_irc_out
    iptables -N cli_ftp_in
    iptables -N cli_ftp_out
    iptables -N cli_git_in
    iptables -N cli_git_out
    iptables -N cli_gpg_in
    iptables -N cli_gpg_out

    # Set Default Rules
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
}

iptables_log () {
    ## log everything else and drop
    $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
    $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
    $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
}


iptables_tables () {
    echo "start adding tables..."

    ####### blocker Chain  ######
    ## Block google dns
    $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
    $IPT -A blocker -s 8.8.0.0/24 -j DROP
    ## Block sync
    $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
    $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
    ## Block Fragments
    $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
    $IPT -A blocker -f -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
    $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
    $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
    $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    ## Return to caller
    $IPT -A blocker -j RETURN

    ######## DNS Server
    #echo "server_in chain: Allow input to DNS Server"
    $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_in -j RETURN
    #echo "srv_dns_out chain: Allow output from DNS server"
    $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_dns_out -j RETURN

    ####### Database Server
    $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_db_in -j RETURN
    $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A srv_db_out -j RETURN

    ####### SSH Server

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
        --update --seconds 60 --hitcount 4 --rttl \
        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"

    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
        --hitcount 4 --rttl --name SSH -j DROP

    $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

    $IPT -A srv_ssh_in -j RETURN
    $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A srv_ssh_out -j RETURN

    ####### HTTP Server
    $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_http_in -j RETURN
    $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_http_out -j RETURN

    ####### HTTPS Server
    $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_https_in -j RETURN
    $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_https_out -j RETURN

    ###### GIT server
    $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A srv_git_in -j RETURN
    $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A srv_git_out -j RETURN

    ######## DNS Client
    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_dns_out -j RETURN
    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_dns_in -j RETURN

    ######## HTTP Client
    #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP

    $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_http_in -j RETURN
    $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_http_out -j RETURN

    ######## IRC client
    $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_irc_in -j RETURN
    $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_irc_out -j RETURN

    ######## FTP client

    $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ftp_in -j RETURN
    $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ftp_out -j RETURN
    ######## GIT client
    $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_git_in -j RETURN
    $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_git_out -j RETURN

    ######## POP3S client
    $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_pops_in -j RETURN
    $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_pops_out -j RETURN

    ######## SMTPS client
    $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_smtps_in -j RETURN
    $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_smtps_out -j RETURN

    ######## HTTPS client
    $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_https_in -j RETURN
    $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_https_out -j RETURN

    ######## SSH client
    $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_in -j RETURN
    $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_ssh_out -j RETURN

    ######## GPG key client
    $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A cli_gpg_in -j RETURN
    $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A cli_gpg_out -j RETURN

    ######## DHCP Server
    $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
    $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
    $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
    $IPT -A srv_dhcp -j RETURN

    ####### RIP Server
    $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
    $IPT -A srv_rip -j RETURN

    ####### ICMP Server
    $IPT -A srv_icmp -p icmp -j ACCEPT
    $IPT -A srv_icmp -j RETURN
}

case $TYPE in
    bridge)
        iptables_clear
        iptables_tables

        echo "setting bridge network..."
        echo 1 > /proc/sys/net/ipv4/ip_forward

        # Unlimited on loopback
        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

        ####### NAT Prerouting Chain  ######

        ####### Forward Chain  ######
        $IPT -A FORWARD -j blocker
        $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT

        # Tap1 and Tap3 can access external http
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out

        ####### Forward TAP2 ssh, http and https  ######
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
        #
        #        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
        #
        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp

        # Tap1, Tap2 and Tap3 can access external https
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in

        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in

        #Less noise
        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP

        ####### Input Chain ######
        $IPT -A INPUT -j blocker
        #Less noise
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP

        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in

        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp
        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp

        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp

        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in

        ####### Output Chain ######
        $IPT -A OUTPUT -j blocker

        #Less noise
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out

        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out

        ####### PostRouting Chain ######
        #Less noise
        #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT

        #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE

        ## log everything else and drop
        iptables_log

        #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
        # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "

        iptables-save > /etc/iptables/net.v4
        exit 0
        ;;

    server)
        iptables_clear
        iptables_tables

        echo "setting server network..."

        # Unlimited on loopback
        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

        ####### Input Chain ######
        $IPT -A INPUT -j blocker

	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
        #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in


	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in

        ####### Output Chain ######
        $IPT -A OUTPUT -j blocker

	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
	#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out

	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out

        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out

        ## log everything else and drop
        iptables_log

        iptables-save > /etc/iptables/net.v4
        exit 0

        ;;
    *)

        echo "usage: $0 [start|stop|restart]"
        ;;
esac