#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides:          ip6t-firewall
# Required-Start:    $local_fs $remote_fs $syslog $network $time
# Required-Stop:     $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: IPv6 Firewall
### END INIT INFO

CONFIG_DIR="/etc/ipt-firewall"
CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf"

if [[ -z "$fail2ban_client" ]]; then
   fail2ban_client="$(which fail2ban-client)"
fi


# ------------- Load Kernel Modules -------------
#
# Load appropriate modules.
if ! $host_is_vm ; then
   /sbin/modprobe ip6_tables
   /sbin/modprobe ip6table_filter
   /sbin/modprobe ip6t_REJECT
fi
#
# ------------- End: Load Kernel Modules -------------


echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
echo

## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------

if [[ -f "$CONFIG_FILE" ]]; then
   source $CONFIG_FILE
else
   echo
   echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
   echo
   exit 1
fi


# -------------
# --- Activate IP Forwarding
# -------------

if ! $host_is_vm ; then

   # ---
   # - Disable ip forwarding between interfaces
   # ---
   if $kernel_forward_between_interfaces ; then
      echononl "\tActivate Forwarding.."
      echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
   else
      echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
      echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
   fi

   echo_done

fi

# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------

echononl "\tAdjust Kernel Parameters (Security/Tuning).."

if ! $host_is_vm ; then

   # ---
   # - Deactivate Source Routed Packets
   # ---
   for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do
      if $kernel_deactivate_source_route ; then
         echo 0 > $asr
      fi
   done


   # ---
   # -  Deactivate sending ICMP redirects
   # ---
   if $kernel_dont_accept_redirects ; then
      echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects
   fi

   echo_done # Adjust Kernel Parameters (Security/Tuning)
else
   echo_skipped

fi # if ! $host_is_vm


# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_client" ]; then
   echononl "\tStopping fail2ban.."
   $fail2ban_client stop > /dev/null 2>&1
   if [ "$?" = "0" ];then
      echo_done
   else
      echo_warning
   fi
fi
#
# ------------- Ende: Stop Fail2Ban if installed -------------


# -------------
# --- Set default policies / Flush Rules
# -------------


echo
echononl "\tFlushing firewall iptable (IPv6).."

# - default policies
# -
$ip6t -P INPUT ACCEPT
$ip6t -P OUTPUT ACCEPT
$ip6t -P FORWARD ACCEPT

## - flush chains
## -
$ip6t -F
$ip6t -F INPUT
$ip6t -F OUTPUT
$ip6t -F FORWARD
$ip6t -F -t mangle
$ip6t -F -t nat
$ip6t -F -t raw
$ip6t -X
$ip6t -Z

echo_done # Flushing firewall iptable (IPv6)..
echo



# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------

echononl "\tDo not firewall bridged traffic"
if $do_not_firewall_bridged_traffic ; then

   # - Matches if the packet is being bridged and therefore is not being routed.
   # - This is only useful in the FORWARD and POSTROUTING chains.
   # -
   $ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

   # - Matches if the packet has entered through a bridge interface.
   # -
   $ip6t -I FORWARD -m physdev --physdev-is-in -j ACCEPT
   # - Matches if the packet will leave through a bridge interface.
   # -
   $ip6t -I FORWARD -m physdev --physdev-is-out -j ACCEPT

   echo_done
else
   echo_skipped
fi
echo



# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------

case $1 in
   flush)
      echo
      echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m"
      echo
      exit 0;;
esac



# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------

if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
   echononl "\tPass through Devices (not firewalled)"
   for _dev in ${unprotected_if_arr[@]} ; do
      if $log_unprotected || $log_all ; then
         $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
      fi
      $ip6t -A INPUT -i $_dev -j ACCEPT
      $ip6t -A OUTPUT -o $_dev -j ACCEPT
      $ip6t -A FORWARD -i $_dev -j ACCEPT
      $ip6t -A FORWARD -o $_dev -j ACCEPT
   done
   echo_done
fi



# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."


# ---
# - Block IPs
# ---

for _ip in $blocked_ips ; do
   for _dev in ${ext_if_arr[@]} ; do
      if $log_blocked_ip || $log_all ; then
         $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
         if $kernel_forward_between_interfaces ; then
            $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
         fi
      fi
      $ip6t -A INPUT -i $_dev -s $_ip -j DROP
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -i $_dev -s $_ip -j DROP
      fi
   done
done


# ---
# - Block Interfaces
# ---

for _if in ${blocked_if_arr[@]} ; do
   if $log_blocked_if || $log_all ; then
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
         $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
      fi
      $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
      $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
   fi
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -i $_if -j DROP
      $ip6t -A FORWARD -o $_if -j DROP
   fi
   $ip6t -A INPUT -i $_if -j DROP
   $ip6t -A OUTPUT -o $_if -j DROP
done

echo_done # Block IPs / Networks / Interfaces..



# ---
# - Block IPs/Netwoks reading from file 'ban_ipv6.list'"
# ---

echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv6.list' .."

if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then

	declare -a ban_ipv6_arr=()
   declare -a no_valid_ipv6=()

	# Regex valid ipv6 address
	#
	_regex_ipv6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$'

   while IFS='' read -r _line || [[ -n $_line ]] ; do

		is_valid_ipv6=false
		is_valid_mask=false
      ipv6=""
      mask=""
 
      # Ignore comment lines
      #
      [[ $_line =~ ^[[:space:]]{0,}# ]] && continue

      # Ignore blank lines
      #
      [[ $_line =~ ^[[:space:]]*$ ]] && continue

      # Remove leading whitespace characters
      #
      _line="${_line#"${_line%%[![:space:]]*}"}"


      # Catch ipv6 Address
      #
      given_ipv6="$(echo  $_line | cut -d ' ' -f1)"


      # Splitt ipv6 address from possible given CIDR number
      #
      IFS='/' read -ra _addr <<< "$given_ipv6"
      ipv6="${_addr[0]}"

		# Test mask if given
		# 
      if [[ -n "${_addr[1]}" ]] ; then
         mask="${_addr[1]}"

         # Is 'mask' a valid CIDR number? If not, test agains a valid netmask
         #
         if $(test -z "${mask##*[!0-9]*}" > /dev/null 2>&1) ; then

            # Its not a vaild mask number, but naybe a valit netmask.
            #
				no_valid_ipv6_arr+=("$given_ipv6")
            
         else
            if [[ $mask -gt 128 ]]; then

               # Its not a vaild cidr number, but naybe a valit netmask.
               #
					no_valid_ipv6_arr+=("$given_ipv6")
				else
					is_valid_mask=true
            fi
         fi
      else
         mask=64
			is_valid_mask=true
      fi

		# Check if given ipv6 address is valif
		if [[ "$ipv6" =~ ${_regex_ipv6} ]]; then
			is_valid_ipv6=true
		fi

		
		if $is_valid_ipv6 && $is_valid_mask; then

         _ip="${ipv6}/${mask}"

			if containsElement "$_ip"  "${ban_ipv6_arr[@]}" ; then
				continue
			fi

         for _dev in ${ext_if_arr[@]} ; do
            if $log_blocked_ip || $log_all ; then
               $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level
               if $kernel_activate_forwarding ; then
                  $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level
               fi
            fi

            $ip6t -A INPUT -i $_dev -s $_ip -j DROP
            if $kernel_activate_forwarding ; then
               $ip6t -A FORWARD -i $_dev -s $_ip -j DROP
            fi
         done

			ban_ipv6_arr+=("$_ip")

      else
			if ! containsElement "$given_ipv6"  "${no_valid_ipv6_arr[@]}" ; then
         	no_valid_ipv6_arr+=("$given_ipv6")
			fi
      fi

   done < "${CONFIG_DIR}/ban_ipv6.list"
   echo_done

   if [[ ${#no_valid_ipv6_arr[@]} -gt 0  ]]; then
      warn "Ignored: ${no_valid_ipv6_arr[@]}"
   fi
else
   echo_skipped
fi


# ---
# - Allow Forwarding certain private Addresses
# ---

if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
   echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
   for _ip in ${forward_private_ip_arr[@]}; do
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -d $_ip -j ACCEPT
         $ip6t -A FORWARD -s $_ip -j ACCEPT
         echo_done
      else
         echo_skipped
      fi
   done
fi
   


# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."


# ---
# - Protection against syn-flooding
# ---

$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
   $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
fi
$ip6t -A syn-flood -j DROP


# ---
# - drop new packages without syn flag
# ---

if $log_new_not_sync || $log_all  ; then
   $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j  LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   fi
fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_forward_between_interfaces ; then
   $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi


# ---
# - drop invalid packages
# ---

if $log_invalid_state || $log_all  ; then
   $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
   fi
fi
$ip6t -A INPUT -m state --state INVALID -j DROP
if $kernel_forward_between_interfaces ; then
   $ip6t -A FORWARD -m state --state INVALID -j DROP
fi


# ---
# - ungewöhnliche Flags verwerfen
# ---

for _dev in ${ext_if_arr[@]} ; do
   if $log_invalid_flags || $log_all ; then
      $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
      $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
      $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
      fi
   fi
   $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
   $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
   $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
      $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
      $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
   fi
done


# ---
# - Refuse private addresses on extern interfaces
# ---

# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
   for _ip in ${ext_ip_arr[@]} ; do
      $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
      fi
   done
fi
for _ip in ${ext_ip_arr[@]} ; do
   $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
   if $kernel_forward_between_interfaces ; then
      $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
   fi
done


# - private Adressen auf externen interface verwerfen
for _dev in ${ext_if_arr[@]} ; do
   if $log_spoofed || $log_all ; then
      $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
      $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
         $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
      fi
   fi
   $ip6t -A INPUT -i $_dev -s $ula_block -j DROP
   $ip6t -A INPUT -i $_dev -s $loopback -j DROP
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
      $ip6t -A FORWARD -i $_dev -s $loopback -j DROP
   fi

   # Don't allow spoofing from that server
   $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
   $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
      $ip6t -A FORWARD -o $_dev -s $loopback -j DROP
   fi
done

echo_done



# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------

case $1 in
   sto*)
      #echononl "Stopping firewall iptable (IPv6).."
      echo
      echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
      echo
      exit 0;;
esac


echo

# -------------
# --- Traffic Counter (used by munin)
# -------------

echononl "\tCreate Traffic Counter (used by munin)"
if $create_traffic_counter ; then
   for _ip in ${ext_ip_arr[@]} ; do
      $ip6t -A INPUT -d $_ip
      $ip6t -A INPUT -s $_ip
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -d $_ip
         $ip6t -A FORWARD -s $_ip
      fi
   done
   echo_done
else
   echo_skipped
fi


# -------------
# --- iPerf
# -------------

# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. 
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, 
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.

echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
   $ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT
   $ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT
   #
   $ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT
   $ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT
      $ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT
   fi
   echo_done
else
   echo_skipped
fi


# -------------
# --- Generally prohibited
# -------------

echononl "\tGenerally prohibited traffic.."

for _dev in ${ext_if_arr[@]} ; do
   if $log_prohibited || $log_all ; then
      for _port in ${block_tcp_port_arr[@]} ; do
         $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
      done
      if $kernel_forward_between_interfaces ; then
         for _port in ${block_tcp_port_arr[@]} ; do
            $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
         done
         for _port in ${block_udp_port_arr[@]} ; do
            $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
         done
      fi
   fi
   for _port in ${block_tcp_port_arr[@]} ; do
      $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP
   done
   for _port in ${block_udp_port_arr[@]} ; do
      $ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP
   done
   if $kernel_forward_between_interfaces ; then
      for _port in ${block_tcp_port_arr[@]} ; do
         $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP
      done
   fi
done

echo_done
echo
 
 
# ------------- 
# --- Traffic generally allowed 
# ------------- 
 
echononl "\tLoopback device generally allowed.." 
 
# --- 
# - Loopback device 
# --- 
 
$ip6t -A INPUT -i lo -j ACCEPT 
$ip6t -A OUTPUT -o lo -j ACCEPT 
 
echo_done


# ---
# - Already established connections
# ---

echononl "\tAccept already established connections.."

$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_forward_between_interfaces ; then
   $ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi

echo_done


# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
   $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
   $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
      $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
   fi
done
echo_done

echo


# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------

echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then

   _deny_service_arr=()

   for _val in "${restrict_local_service_to_net_arr[@]}" ; do
      IFS=',' read -a _val_arr <<< "${_val}"

      for _dev in ${ext_if_arr[@]} ; do
         $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT

         if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then
            _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}")
         fi
      done

   done

   for _val in "${_deny_service_arr[@]}" ; do
      IFS=',' read -a _val_arr <<< "${_val}"
      $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
   done

   echo_done
else
   echo_skipped
fi


# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------

echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then

   _deny_net_arr=()
   
   for _val in "${restrict_local_net_to_net_arr[@]}" ; do
      IFS=',' read -a _val_arr <<< "${_val}"
      for _dev in ${ext_if_arr[@]} ; do
         $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT

         if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then
            _deny_net_arr+=("${_dev},${_val_arr[1]}")
         fi
      done

   done

   for _val in "${_deny_net_arr[@]}" ; do
      IFS=',' read -a _val_arr <<< "${_val}"
      $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
   done

   echo_done
else
   echo_skipped
fi


# -------------
# --- Services
# -------------

echo
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"


# -------------
# ---- Allow extern Service 
# -------------

echononl "\t\tAllow extern Service"

if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_ext_service_arr[@]}" ; do
         IFS=',' read -a _val_arr <<< "${_val}"
         $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# -------------
# ---- Allow extern IP-Address/Network
# -------------

echononl "\t\tAllow extern IP-Address/Network"

if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _net in "${allow_ext_net_arr[@]}" ; do
         $ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi

echo


# -------------
# ---- Allow (non-standard) local Services 
# -------------

echononl "\t\tAllow (non-standard) local Services"

if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_local_service_arr[@]}" ; do
         IFS=':' read -a _val_arr <<< "${_val}"
         $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi

echo


# ---
# - DHCP
# ---

echononl "\t\tDHCP"

if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then
   for _dev in ${dhcp_if_arr[@]} ; do
      # - in
      $ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
      # - out
      $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi
   

   
# ---
# - DNS out only
# ---

echononl "\t\tDNS out only"

# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
   # - out from local and virtual mashine(s)
   $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT

   # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
   if $kernel_forward_between_interfaces ; then
      # - forward from virtual mashine(s)
      $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
      $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
   fi
done

echo_done



# ---
# - DNS Service
# ---

echononl "\t\tDNS Service"

if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${dns_server_ips[@]} ; do
         # dns requests
         #
         # Note:
         #    If the total size of the DNS record is larger than 512 bytes, 
         #    it will be sent over TCP, not UDP.
         #
         $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
         $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
         # Zonetransfer
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi
      
   if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_dns_server_ip_arr[@]} ; do
         # dns requests
         #
         # Note:
         #    If the total size of the DNS record is larger than 512 bytes, 
         #    it will be sent over TCP, not UDP.
         #
         $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
         $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
         # Zonetransfer
         $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi
   echo_done
else
   echo_skipped
fi


# ---
# - SSH out only
# ---

echononl "\t\tSSH out only"

# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
   fi
done

for _dev in ${local_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
done

echo_done


# ---
# - SSH Service
# ---

echononl "\t\tSSH Service"

if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${ssh_server_ip_arr[@]} ; do
         for _port in ${ssh_port_arr[@]} ; do
            $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_ssh_server_ip_arr[@]} ; do
         for _port in ${ssh_port_arr[@]} ; do
            $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - VPN
# ---

echononl "\t\tVPN Service only out"
if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then

   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${vpn_port_arr[@]} ; do
         $ip6t -A OUTPUT -o $_dev -p udp --dport $_port  -m state --state NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi

echononl "\t\tVPN Services.."
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${vpn_server_ip_arr[@]} ; do
         for _port in ${vpn_port_arr[@]} ; do
            $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_vpn_server_ip_arr[@]} ; do
         $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Rsync Out
# ---

echononl "\t\tRsync (only OUT)"

if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then
      for _port in ${rsync_port_arr[@]} ; do

         for _ip in ${rsync_out_ip_arr[@]} ; do
            $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
         done

      done
   fi

   if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _port in ${rsync_port_arr[@]} ; do

         for _ip in ${forward_rsync_out_ip_arr[@]} ; do
            $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
         done

      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Telnet
# ---

echononl "\t\tTelnet (only OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
   fi
done

echo_done


# ---
# - MySQL
# ---

echononl "\t\tMySQL (only OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
   fi
done

echo_done


# ---
# - Munin remote service
# ---

echononl "\t\tMunin remote service"

if [ "X$munin_remote_ip" != "X" ]; then
   for _dev in ${ext_if_arr[@]} ; do
      $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
      if $kernel_forward_between_interfaces ; then
         $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Munin local service
# ---

echononl "\t\tMunin local service"


if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${munin_server_ip_arr[@]} ; do
         $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_munin_server_ip_arr[@]} ; do
         $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Mail (SMTP OUT)
# ---

echononl "\t\tMail (SMTP OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
   fi
done

echo_done


# ---
# - Mail SMTP Server (Port 25) including Spam Control
# ---

echononl "\t\tMail SMTP Server (Port 25) including Spam Control"

if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then

      for _ip in ${smtpd_ips_arr[@]} ; do
         $ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
         #
         # Razor2  (TCP Port 2703)
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
         # DEPRECATED: TCP Port 7 (echo)
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
         #
         # Pyzor (UDP Port 24441 or  TCP Port 24441 or both ?)
         $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
         #
         # - DCC  (port udp:6277)
         $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277  -m state --state NEW  -j ACCEPT
         # if DCC Server is running (port tcp:6277)
         $ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
      done
   fi

   if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_smtpd_ip_arr[@]} ; do
         $ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
         #
         # Razor2  (TCP Port 2703)
         $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
         # DEPRECATED: TCP Port 7 (echo)
         $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
         #
         # Pyzor (UDP Port 24441 or  TCP Port 24441 or both ?)
         $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
         $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
         #
         # DCC  (port udp:6277)
         $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277  -m state --state NEW  -j ACCEPT
         # if DCC Server is running (port tcp:6277)
         $ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
         $ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# -  Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---

echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"

if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
      for _ip in ${mail_server_ips_arr[@]} ; do
         # mail ports 
         #
         $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
      done
   fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]

   if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_mail_server_ip_arr[@]} ; do
         # mail ports 
         #
         $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
      done
   fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then

   echo_done
else
   echo_skipped
fi


# ---
# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
# ---

echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"

if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
      for _ip in ${mail_client_ips_arr[@]} ; do
         # mail ports 
         #
         $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
      done
   fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]

   if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_mail_client_ip_arr[@]} ; do
         # mail ports 
         #
         $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
      done
   fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then

   echo_done
else
   echo_skipped
fi


# ---
# - HTTP(S) OUT
# ---

echononl "\t\tHTTP(S) out only"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
   fi
done

echo_done


# ---
# - HTTP(S) (local) Webserver
# ---

echononl "\t\tHTTP(S) (local) Webserver"

if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]]  ; then

   if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${http_server_ip_arr[@]} ; do
         $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
      done

      if  [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
         for _ip in ${forward_http_server_ip_arr[@]} ; do
            $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
         done
      fi
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - FTP out only"
# ---

echononl "\t\tFTP out only (using CT target)"

# - (Re)define helper
# -
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

# - Used for different ftpdata recent lists 'ftp6data_out_$j'
# -
declare -i j=1

for _dev in ${ext_if_arr[@]} ; do
   
   # - (1)
   # -
   # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
   # -
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
      -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT

	# - (2)
	# -    - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
	# -      and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
	# -
	# -    - If matched, the "last seen" timestamp of the destination address will be updated (--update).
	# -
	# -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
	# -
	$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
		-m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT

	((j++))

   # - Accept (helper ftp) related connections
   # -
   $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT

done

echo_done


#echononl "\t\tFTP out only"
#
#for _dev in ${ext_if_arr[@]} ; do
#   # (Datenkanal aktiv)
#   $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
#   # (Datenkanal passiv)
#   $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
#   # (Kontrollverbindung)
#   $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
#   if $kernel_forward_between_interfaces ; then
#      # (Datenkanal aktiv)
#      $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
#      # (Datenkanal passiv)
#      $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
#      # (Kontrollverbindung)
#      $ip6t -A FORWARD -o $_dev -p tcp  --dport 21 -m state --state NEW -j ACCEPT
#   fi
#done
#
#echo_done


# ---
# - FTP Server"
# ---

echononl "\t\tFTP Server (using CT target)"

if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then

   # - Used for different ftpdata recent lists 'ftpdata_$i'
   # -
   declare -i i=1

   # - (Re)define helper
   # -
   # - !! Note: !!
   # -    for both, local FTP server (ftp_server_ip_arr) 
   # -    and forward to FTP server (forward_ftp_server_ip_arr)
   # -
   $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then

      for _ip in ${ftp_server_ip_arr[@]} ; do

         # =====
         # -
         # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
         # - ======================================================
         # -
         # - Workaround:
         # -    (1) add source ip to a 'recent list' named 'ftpdata_$i!  if ftp control connections appear
         # -    (2) accept packets of the formaly created recent list 'ftpdata_$i!
         # -
         # =====

         # - (1)
         # -
         # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
         # -
         $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT

         # - (2)
         # -    - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
         # -      source ip-address was seen within the last 1800 seconds (--seconds 1800).
         # -
         # -    - If matched, the "last seen" timestamp of the source address will be updated (--update).
         # -
         # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
         # - 
         $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
            -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT

         # - Accept (helper ftp) related connections
         # -
         $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT

         ((i++))

      done
   fi

   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then

      for _ip in ${forward_ftp_server_ip_arr[@]} ; do
      
         # =====
         # -
         # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
         # - ======================================================
         # -
         # - Workaround:
         # -    (1) add source ip to a 'recent list' named 'ftpdata_$i!  if ftp control connections appear
         # -    (2) accept packets of the formaly created recent list 'ftpdata_$i!
         # -
         # =====

         # - (1)
         # -
         # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
         # -
         $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT

         # - (2)
         # -    - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
         # -      source ip-address was seen within the last 1800 seconds (--seconds 1800).
         # -
         # -    - If matched, the "last seen" timestamp of the source address will be updated (--update).
         # -
         # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
         # - 
         $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
            -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
         $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
            -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT

         # - Accept (helper ftp) related connections
         # -
         $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
         $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT

         ((i++))

      done
   fi

   echo_done
else
   echo_skipped
fi


#echononl "\t\tFTP Server"
#
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
#   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
#      for _ip in ${ftp_server_ip_arr[@]} ; do
#            # (Datenkanal aktiv)
#            $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
#            # Datenkanal (passiver modus)
#            $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
#            # - Kontrollverbindung 
#            $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
#      done
#   fi
#
#   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
#      for _ip in ${forward_ftp_server_ip_arr[@]} ; do
#         # (Datenkanal aktiv)
#         $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
#         # Datenkanal (passiver modus)
#         $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
#         # - Kontrollverbindung
#         $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
#      done
#   fi
#
#   echo_done
#else
#   echo_skipped
#fi


# ---
# - Mumble Service
# ---

echononl "\t\tMumble Service"


if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then
   if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${mumble_server_ip_arr[@]} ; do
         $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
         $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_mumble_server_ip_arr[@]} ; do
         $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
         $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---

echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 37  -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 37  -m state --state NEW -j ACCEPT   
   fi
done

echo_done


# ---
# - NTP out only"
# ---

echononl "\t\tNTP out only"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 123  -m state --state NEW -j ACCEPT
   $ip6t -A OUTPUT -o $_dev -p udp --dport 123  -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 123  -m state --state NEW -j ACCEPT   
      $ip6t -A FORWARD -o $_dev -p udp --dport 123  -m state --state NEW -j ACCEPT   
   fi
done

echo_done


# ---
# - Whois out only
# ---

echononl "\t\tWhois out only"

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p tcp --dport 43  -m state --state NEW -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p tcp --dport 43  -m state --state NEW -j ACCEPT   
   fi
done

echo_done
echo


# ---
# - Special TCP Ports OUT
# ---

echononl "\t\tSpecial TCP Ports OUT"

if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then

   if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then 

      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${tcp_out_port_arr[@]} ; do
            $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port  -m state --state NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${tcp_out_port_arr[@]} ; do
            $ip6t -A FORWARD -o $_dev -p tcp --dport $_port  -m state --state NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Special UDP Ports OUT
# ---

echononl "\t\tSpecial UDP Ports OUT"

if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
   if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${udp_out_port_arr[@]} ; do
            $ip6t -A OUTPUT -o $_dev -p udp --dport $_port  -m state --state NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${forward_udp_out_port_arr[@]} ; do
            $ip6t -A FORWARD -o $_dev -p udp --dport $_port  -m state --state NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi

echo


# ---
# - UNIX Traceroute
# ---

echononl "\t\tUNIX Traceroute"

#   versendet udp packete im gegensatz zu tracert von windows
#   der icmp-echo-request pakete versendet
#   einige implementierungen von traceroute (linux) erm�lichens
#   die option -I und versenden dann ebenfalls icmp-echo-request pakete

for _dev in ${ext_if_arr[@]} ; do
   $ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
   $ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
      $ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
   fi
done

echo_done


# ---
# - Ping
# ---

echononl "\t\tPing"

$ip6t -A INPUT -p ipv6-icmp -j ACCEPT
$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT
if $kernel_forward_between_interfaces ; then
   $ip6t -A FORWARD -p ipv6-icmp -j ACCEPT
fi

#for _dev in ${ext_if_arr[@]} ; do
#   $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT
#   $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT
#   if $kernel_forward_between_interfaces ; then
#      $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT
#      $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT
#   fi
#done
#for _dev in ${local_if_arr[@]} ; do
#   $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT
#   $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT
#   if $kernel_forward_between_interfaces ; then
#      $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT
#      $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT
#   fi
#done

echo_done


# ---
# - log all rejected traffic
# ---

echo
echononl "\tLogging all rejected traffic"

if $log_rejected || $log_all ; then
   #$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   #$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   $ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   $ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   if $kernel_forward_between_interfaces ; then
      #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
      $ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
   fi
   echo_done
else
   echo_skipped
fi


# ---
# - Drop all other
# ---

echo
echononl "\tDrop all other on all interfaces"

$ip6t -A INPUT -j DROP
$ip6t -A OUTPUT -j DROP
$ip6t -A FORWARD -j DROP

echo_done



# -------------
# ------------- Start Fail2Ban if installed
# -------------

if [ -x "$fail2ban_client" ]; then
   echo
   echononl "\tStarting fail2ban.."
   $fail2ban_client start > /dev/null 2>&1
   if [ "$?" = "0" ];then
      echo_done
   else
      echo_failed
   fi
fi

echo
exit 0

