#!/bin/sh
##################################################################
#

#	
## Variables
IPTABLES="/sbin/iptables"
INTERNAL_ET="eth1" # Internal Ethernet Interface
INTERNAL_TR="tr0" # Internal Tokenring Interface
EXTERNAL="eth0" # External Interface
FW_X="eth2" # testinterface for backupfirewall

#IP_ADRESSES
INTERNAL_OFFICIAL_NET="1.1.1.0/24"
INTERNAL_CLIENT_NET="1.1.3.0/24"
INTERNAL_ROUTER_NET="1.1.4.0/24"
INTERNAL_ROUTER2_NET="1.1.5.0/24"
INTERNAL_ROUTER3_NET="1.1.6.0/24"
INTERNAL_ROUTER4_NET="1.1.7.0/24"
INTERNAL_ROUTER5_NET="1.1.8.0/24"
FIREWALL_CONTROL_NET="1.1.9.0/24"
EXTERNAL_ROUTER_IP="1.1.1.1"

PROXY_REAL_IP="1.1.1.2"
PROXY_NAT_IP="1.1.1.3"
REMOTEUSER_IP="1.1.1.4"
REMOTEUSER_NET="1.1.10.0/24"

SSH_SERVER_IP="1.1.1.5"
DNS_IP="1.1.1.6"
VPN_IP="1.1.1.7"
DC_IP="1.1.1.8"
TIMESERVER_IP="1.1.1.9"
VM_IP="1.1.1.10"
INTERNAL_PMC_IP="1.1.1.11"
SAP_IIS_IP="1.1.1.12"
PCANYWERE_IP="1.1.1.13"
MMWKS_IP="1.1.1.14"
ROUTER_IP="1.1.1.15"
SSH_WKS_IP="1.1.1.16"

WEBSERVER_IP1="1.1.1.20"

INTERNAL_IT_WKS1="1.1.1.15"

SAP_ROUTER1_IP="1.1.1.20"
SAP_ROUTER2_IP="1.1.1.21"

KUNDE_NET="1.1.11.0/24"
KUNDE_IP="1.1.1.22"
KUNDE2_IP="1.1.1.23"
PARTNER_NET="1.1.12.0/24"

## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ecn-support cut because problems with some webservers
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
## Special Chains First, INPUT/OUTPUT chains will follow
############################################################################
#
## Special Chains
############################################################################
#
############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -o ! $EXTERNAL -m state --state NEW -j ACCEPT
## DROP packets associated with a NEW or "INVALID" connection.
## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
## perhaps a bit redundant.

#Remoteuser
$IPTABLES -A KEEP_STATE -i $EXTERNAL -d $REMOTEUSER_IP -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $REMOTEUSER_IP --tcp-flags SYN,ACK SYN -j ACCEPT

$IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID -j DROP
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s $PROXY_REAL_IP -d 0/0 --tcp-flags SYN,ACK SYN -j ACCEPT
$IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -d ! $PROXY_REAL_IP --tcp-flags SYN,ACK SYN -j DROP
#tcp-reject for faster connections
#$IPTABLES -A KEEP_STATE -p tcp -j REJECT --reject-with tcp-reset
#$IPTABLES -A KEEP_STATE -j REJECT --reject-with icmp-port-unreachable
############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that the first dozen rules should never match normal traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "root" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "cmd.exe" -j DROP
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -p tcp --dport 80 -m string --string "mmc.exe" -j DROP

## Make some types of port scanning annoyingly slow, also provides some protection
## against certain DoS attacks. Adjust for your network. The rule in chain
## KEEP_STATE referring to the INVALID state should catch most TCP packets with
## the RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our open ports.
$IPTABLES -A CHECK_FLAGS -i $EXTERNAL -m psd -m limit --psd-delay-threshold 3 --limit 1/min -j LOG --log-prefix "Port Scan: "
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT

# Now, see how we were called
case "$1" in
start)


############################################################################
## Firewall Input Chains
############################################################################
## New chain for input to the external interface
echo " updated"
#
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input # Flush chain
## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -m multiport --dport 23,22 -j DROP

## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS

## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## On a separate router/firewall, these are redundant and pretty much useless.
## On a host, however, with a default they might serve a purpose.
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP

## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## DROP all icmp network broadcasts
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP

## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_TR-input
$IPTABLES -F INTERNAL_TR-input
$IPTABLES -N FW_X-input
$IPTABLES -F FW_X-input

#allow ping from internal to firewall
$IPTABLES -A INTERNAL_TR-input -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT

#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-input -i $FW_X -p icmp -s $FIREWALL_CONTROL_NET -j ACCEPT

#
## New chain for input to the loopback interface
$IPTABLES -N lo-input
$IPTABLES -F lo-input
## Accept packets to the loopback interface
$IPTABLES -A lo-input -i lo -j ACCEPT


############################################################################
## Firewall Output Chains
############################################################################

## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output

## Just DROP all outgoing unroutables.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP

#
## New chain for output across the internal interface
$IPTABLES -N INTERNAL_TR-output
$IPTABLES -F INTERNAL_TR-output
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N FW_X-output
$IPTABLES -F FW_X-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_TR-output -o $INTERNAL_ET -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_TR -j ACCEPT
$IPTABLES -A INTERNAL_ET-output -o $INTERNAL_ET -j ACCEPT
#Direct comunication FW I <-> FW II
$IPTABLES -A FW_X-output -o $FW_X -p icmp -d $FIREWALL_CONTROL_NET -j ACCEPT

## New chain for output across the loopback device
$IPTABLES -N lo-output
$IPTABLES -F lo-output
## ACCEPT all traffic across loopback device
$IPTABLES -A lo-output -o lo -j ACCEPT


## Firewall FORWARD Chains

# New chain for input to the external interface
$IPTABLES -N EXTERNAL-forward
$IPTABLES -F EXTERNAL-forward # Flush chain

## Just DROP all unroutables internal Network.
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_CLIENT_NET -d ! $PROXY_REAL_IP -j DROP
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d 224.0.0.0/8 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_ROUTER_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $INTERNAL_CLIENT_NET -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d 224.0.0.0/8 -j DROP
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s ! $PROXY_REAL_IP -j CHECK_FLAGS
#PROXY II darf alles in unser Netz
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -s $PROXY_REAL_IP -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
#remoteuser
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_REAL_IP -s $REMOTEUSER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -d $PROXY_NAT_IP -s $REMOTEUSER_IP -j ACCEPT

#Proxy darf router-netz anpingen
$IPTABLES -A EXTERNAL-forward -p icmp -s $PROXY_REAL_IP -d $INTERNAL_ROUTER_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -p icmp -d $PROXY_REAL_IP -s $INTERNAL_ROUTER_NET -j ACCEPT


## These next few serve to block particular ports on the external interface.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --sport 2345 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP

#DNS
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DNS_IP -m multiport --dport 25,53 -j ACCEPT
#temp fuer active directory tests
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $DC_IP -m multiport --dport 25,53 -j ACCEPT

#smtp,http,https
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $WEBSERVER_IP1 -m multiport --dport 25,80,443 -j ACCEPT
#webserver darf mailen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 25 -j ACCEPT
#webserver darf ins internet
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $WEBSERVER_IP1 --dport 80 -j ACCEPT
#Multimedia Arbeitsplatz darf ftp 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $MMWKS_IP -m multiport --dport 20,21 -j ACCEPT
#Virtuell Maschine darf http und ftp
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $VM_IP -m multiport --dport 20,21,80,443 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $VM_IP -m multiport --dport 20,21 -j ACCEPT
#SAP-router
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 

#Proxy
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 20,21,80,81,82,86,100,443 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 20,21,80,81,82,86,100,443 -j ACCEPT 
#Proxy oberhalb 5000
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $PROXY_REAL_IP -m multiport --sport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $PROXY_REAL_IP -m multiport --dport 5800,5900,7100,8010,8082,8099,8200,8500,8800,8900,8080,9030,9032 -j ACCEPT 
#Proxy zur Partner auf extra ports
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $PARTNER_NET -s $PROXY_REAL_IP -m multiport --dport 5631,5632 -j ACCEPT 

#citrix zu Kunde
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A EXTERNAL-forward -o $INTERNAL_ET -p tcp -d $KUNDE_IP -s $INTERNAL_CLIENT_NET -j ACCEPT
#PCANYWEHERE von Comp99
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $PCANYWERE_IP --dport 8000:8100 -j ACCEPT 
#Proxy darf pingen
#$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-typ 8 -d 0/0 -s PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d 0/0 -s $PROXY_REAL_IP -j ACCEPT

#SAP-router
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER1_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER1_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s 0/0 -d $SAP_ROUTER2_IP --sport 3200:3399 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d 0/0 -s $SAP_ROUTER2_IP --dport 3200:3399 -j ACCEPT 

#KUNDE2 Telnet
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE2_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE2_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
#Zugriff PMC Entwicklungssystem
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j DROP
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 8001 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $INTERNAL_PMC_IP --dport 80 -j ACCEPT 
#PMC darf terminalserver nach aussen
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_PMC_IP -j ACCEPT

#KUNDE3 SSH + VNC
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $KUNDE_IP -d $INTERNAL_OFFICIAL_NET -m multiport --sport 5800,5801,5900,5901,10022,10122 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $KUNDE_IP -s $INTERNAL_OFFICIAL_NET -m multiport --dport 5800,5801,5900,5901,10022,10122 -j ACCEPT 
#Telnet auf XM2
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
#Zugriff auf SAPIIS Port 8800
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s 0/0 -d $SAP_IIS_IP --dport 8800 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d 0/0 -s $SAP_IIS_IP --sport 8800 -j ACCEPT 
##Timeservice
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $PROXY_NAT_IP --dport 123 -j ACCEPT 
#$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $PROXY_NAT_IP --dport 123 -j ACCEPT 
#Timeservice 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s 0/0 -d $TIMESERVER_IP --dport 123 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -d 0/0 -s $TIMESERVER_IP --dport 123 -j ACCEPT 

#SSH_WKS darf ssh
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p tcp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $INTERNAL_TR -p udp -s $SSH_WKS_IP -d 0/0 -m multiport --dport 22,22000 -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $SSH_WKS_IP -s 0/0 -m multiport --dport 22222,33333 -j ACCEPT

#REMOTEUSER aufProxy
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -s $REMOTEUSER_NET -d $PROXY_NAT_IP -j ACCEPT 
#REMOTE USER in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 

# remote DynIP by Ebner u Martin in unser Netz
$IPTABLES -A EXTERNAL-forward -p tcp -s $REMOTEUSER_IP -d $INTERNAL_OFFICIAL_NET -m multiport --dport 80,443,3200,3201,3203,3040,3299,8080,8200,8500,8800,8801,8804,8900,9000 -j ACCEPT 

#priv Clients aufProxy
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -s $INTERNAL_CLIENT_NET -d $PROXY_NAT_IP -j ACCEPT 

#VPN-Service
#rein von extern
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p 47 -d $VPN_IP -s 0/0  -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --sport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -d $VPN_IP -s 0/0 --dport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p udp -d $VPN_IP -s 0/0 --dport 1701 --sport 1701 -j ACCEPT 
#raus nach extern
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p 47 -s $VPN_IP -d 0/0  -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --sport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -s $VPN_IP -d 0/0 --dport 1723 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 -m multiport --sport 53,500,1863,4000,5000 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p udp -s $VPN_IP -d 0/0 --dport 1701 --sport 1701 -j ACCEPT 

#IT-Rechner
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -s $INTERNAL_IT_WKS1 -d 0/0 -j ACCEPT 

$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p tcp -s $EXTERNAL_ROUTER_IP -d $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 
$IPTABLES -A EXTERNAL-forward -o $EXTERNAL -p tcp -d $EXTERNAL_ROUTER_IP -s $INTERNAL_OFFICIAL_NET --dport 23 -j ACCEPT 

## ICMP Stuff, we're going to allow some ICMP.
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -f -p icmp -j DROP
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT

# Accept ping only for our Inernet watched hosts and routers CS 8.8.2001
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $TIMESERVER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -s $PROXY_NAT_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $VPN_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -d $EXTERNAL_ROUTER_IP -j ACCEPT
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -d $TIMESERVER_IP -j ACCEPT
## TTL Exceeded (traceroute)
# $IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
## DROP all icmp network broadcasts
## This may actually break things in a few cases
$IPTABLES -A EXTERNAL-forward -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP

############################################################################
#
## New chain for input to the internal interface
#
$IPTABLES -N INTERNAL_ET-forward
$IPTABLES -F INTERNAL_ET-forward
$IPTABLES -N INTERNAL_TR-forward
$IPTABLES -F INTERNAL_TR-forward

## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $PROXY_REAL_IP -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER2_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER3_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER4_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_ET-forward -i $INTERNAL_ET -s $INTERNAL_ROUTER5_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_CLIENT_NET -d $INTERNAL_OFFICIAL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_CLIENT_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER2_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER3_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER4_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -i $INTERNAL_TR -s $INTERNAL_OFFICIAL_NET -d $INTERNAL_ROUTER5_NET -j ACCEPT

#internal FX allow
$IPTABLES -A INTERNAL_TR-forward -i $FW_X -s $FIREWALL_CONTROL_NET -j ACCEPT
$IPTABLES -A INTERNAL_TR-forward -o $FW_X -d $FIREWALL_CONTROL_NET -j ACCEPT
############################################################################
#
## New chain for input to the loopback interface
$IPTABLES -N lo-forward
$IPTABLES -F lo-forward
## Accept packets to the loopback interface
$IPTABLES -A lo-forward -i lo -j ACCEPT


############################################################################
#
## Main Stuff
############################################################################
#
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL_TR -j INTERNAL_TR-input
$IPTABLES -A INPUT -i $INTERNAL_ET -j INTERNAL_ET-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A INPUT -i $FW_X -j FW_X-input
$IPTABLES -A INPUT -i lo -j lo-input
## mirror everything else
$IPTABLES -A INPUT -i $EXTERNAL -s ! $PROXY_REAL_IP -j MIRROR
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL_TR -j INTERNAL_TR-output
$IPTABLES -A OUTPUT -o $INTERNAL_ET -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $FW_X -j FW_X-output
$IPTABLES -A OUTPUT -o lo -j lo-output
## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new connection.
$IPTABLES -A FORWARD -o $EXTERNAL -j KEEP_STATE
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-forward
$IPTABLES -A FORWARD -i $INTERNAL_TR -j INTERNAL_TR-forward
$IPTABLES -A FORWARD -i $INTERNAL_ET -j INTERNAL_ET-forward
$IPTABLES -A FORWARD -j KEEP_STATE

############################################################################
#
## More Stuff:
############################################################################
#
## Rule to mangle TOS values
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay #16 #0x10
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos Maximize-Throughput #8 #0x08
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos Maximize-Throughput #8 #0x08
### END FIREWALL RULES ###

############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
## Destination NAT -- (DNAT)
#######################################################
#Proxy umleiten zieladresse aendern
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP


#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP

#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP

#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP

### END NAT RULES ###

############################################################################
###
## Additional Kernel Configuration
############################################################################
###
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(This could be a potential problem)"
fi
echo "FIREWALL is alive"
		touch /var/lock/subsys/firewall
		RETVAL=0
		;;

close)
echo "FIREWALL will close all extended interfaces "
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -N INTERNAL_ET-input
$IPTABLES -F INTERNAL_ET-input
$IPTABLES -N INTERNAL_ET-output
$IPTABLES -F INTERNAL_ET-output
$IPTABLES -N lo-input
$IPTABLES -F lo-input
$IPTABLES -N lo-output
$IPTABLES -F lo-output

$IPTABLES -A lo-input -i lo -j ACCEPT
$IPTABLES -A lo-output -o lo -j ACCEPT

$IPTABLES -A INPUT -i $FW_X -j INTERNAL_ET-input
$IPTABLES -A INPUT -i lo -j lo-input
$IPTABLES -A OUTPUT -o $FW_X -j INTERNAL_ET-output
$IPTABLES -A OUTPUT -o lo -j lo-output

RETVAL=0
;;

open)

echo ""
echo "!!!!  FIREWALL will open all interfaces !!!!!"
echo "not for normal use"
echo ""
#allow trafic between firewalls
## Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#######################################################
## Destination NAT -- (DNAT)
#######################################################
$IPTABLES -t nat -A PREROUTING -d $PROXY_NAT_IP -j DNAT --to $PROXY_REAL_IP

#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################
#Proxy
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $PROXY_REAL_IP --to $PROXY_NAT_IP
#SAP-ROUTER fallback
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_TR -p tcp -j SNAT -s $SAP_ROUTER2_IP --dport  3200:3399 --to $PROXY_NAT_IP
#KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -d $KUNDE_NET --to $ROUTER_IP
#Citrix nach KUNDE
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_OFFICIAL_NET -d $KUNDE_NET --to $KUNDE_IP
$IPTABLES -t nat -A POSTROUTING -o $INTERNAL_ET -j SNAT -s $INTERNAL_CLIENT_NET -d $KUNDE_NET --to $KUNDE_IP


RETVAL=0

;;

esac

exit $RETVAL