#!/usr/bin/env bash

### BEGIN INIT INFO
# Provides:          ipt-firewall
# Required-Start:    $local_fs $remote_fs $syslog $network $time
# Required-Stop:     $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: IPv4 Firewall
### END INIT INFO


# -------------
# - Settings
# -------------

ipt_conf_dir="/etc/ipt-firewall"

inc_functions_file="${ipt_conf_dir}/include_functions.conf"

load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf

conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf

# -------------
# - Some checks and preloads..
# -------------

ipt=$(which iptables)

if [[ -z "$ipt" ]] ; then
   echo ""
   echo -e "\tiptables was not found on this server!"
   echo
   echo -e "\tFirewall Script was stopped!"
   echo
   exit 1
fi

if [[ ! -f "$inc_functions_file" ]] ; then
   echo ""
   echo -e "\tMissing include file '$inc_functions_file'"
   echo
   echo -e "\tFirewall Script was stopped!"
   echo
   exit 1
else
   source $inc_functions_file
fi

if [[ ! -f "$load_modules_file" ]]; then
   warn "No modules for loading configured. Missing file '$load_modules_file'!"
else

   while read -r module ; do
      if ! lsmod | grep -q -E "^$module\s+" ; then
         /sbin/modprobe  $module > /dev/null 2>&1
         if [[ "$?" != "0" ]]; then
            warn "Loading module '$module' failed!"
         fi
      fi
   done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)

fi

if [[ ! -f "$conf_logging" ]]; then
   fatal "Missing configuration for logging - file '$conf_logging'"
else
   source $conf_logging
fi

if [[ ! -f "$conf_default_ports" ]]; then
   fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
   source $conf_default_ports
fi

if [[ ! -f "$conf_interfaces" ]]; then
   fatal "Missing interface configurations  - file '$conf_interfaces'"
else
   source $conf_interfaces
fi

if [[ ! -f "$conf_main" ]]; then
   fatal "Missing main configurations  - file '$conf_main'"
else
   source $conf_main
fi

if [[ ! -f "$conf_post_declarations" ]]; then
   fatal "Missing post declarations  - file '$conf_post_declarations'"
else
   source $conf_post_declarations
fi


echo
if $terminal ; then
   echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
else
   echo "Starting firewall iptables (IpV4).."
fi
echo


# -------------
# --- Activate IP Forwarding
# -------------

## - IP Forwarding aktivieren/deaktivieren. 
## -
## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. 
## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, 
## - weil hiermit auch andere (de)aktiviert werden.
## -
if $kernel_activate_forwarding ; then
   echo 1 > /proc/sys/net/ipv4/ip_forward
   echononl "\tActivate Forwarding.."
   echo_done
else
   echo 0 > /proc/sys/net/ipv4/ip_forward
   echononl "\t\033[33m\033[1mDisable Forwarding.."
   echo_done
fi

if $kernel_support_dynaddr ; then
   echononl "\tActivate kernel support for dynamic addresses.."
   if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
      echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
      echo_done
   else
      echo_failed
   fi
else
   echo 0 > /proc/sys/net/ipv4/ip_dynaddr
   echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
   echo_done
fi

# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------

echononl "\tAdjust Kernel Parameters (Security/Tuning).."

if $adjust_kernel_parameters ; then
   ## - Reduce DoS'ing ability by reducing timeouts
   ## -
   if $kernel_reduce_timeouts ; then
      echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
      echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
      echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
      echo 0 > /proc/sys/net/ipv4/tcp_sack
   fi

   ## - SYN COOKIES
   ## -
   if  $kernel_tcp_syncookies ; then
      echo 1 > /proc/sys/net/ipv4/tcp_syncookies
      echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
      echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
   fi

   ## - Protection against ICMP bogus error responses
   ## -
   if $kernel_protect_against_icmp_bogus_messages ; then
      echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
   fi

   ## - Ignore Broadcast Pings
   ## - 
   if $kernel_ignore_broadcast_ping ; then
      echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   fi

   ## - Deactivate Source Routed Packets
   ## - 
   if $kernel_deactivate_source_route ; then
      for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
         echo 0 > $asr
      done
   fi

   ## - Deactivate sending ICMP redirects
   ## -
   if ! $telekom_internet_tv ; then
      if $kernel_dont_accept_redirects ; then
         for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do
            echo 1 > $rp_filter
         done
      else
         for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do
            echo 0 > $rp_filter
         done
      fi
   fi

   ## - Logging of spoofed (source routed" and "redirect") packets
   ## -
   if $kernel_log_martians ; then
      echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
   fi

   echo_done # Adjust Kernel Parameters (Security/Tuning)
else
   echo_skipped
fi


# -------------
# --- Set default policies / Flush Rules
# -------------

echo
echononl "\tFlushing firewall iptable (IPv4).."

# - default policies
# -
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT

## - flush chains
## -
$ipt -F
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -F -t mangle
$ipt -F -t nat
$ipt -F -t raw
$ipt -X
$ipt -Z

$ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

unset natted_interface_arr
declare -a natted_interface_arr

for _dev in ${nat_device_arr[@]} ; do
   $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
   natted_interface_arr+=("$_dev")
done

if [[ ${#nat_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _val in "${nat_network_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"

      # - Prevent natting on an interface already natted
      # -
      if containsElement "${_val_arr[1]}" "${nat_device_arr[@]}" ; then
         continue
      fi

      # - ?? - Don't know which rule is the right one , maybe both..
      # -
      $ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -d ${_val_arr[0]} -j MASQUERADE
      $ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -s ${_val_arr[0]} -j MASQUERADE
   done
fi

if $telekom_internet_tv ; then
   $ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE
fi

unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#masquerade_tcp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _val in "${masquerade_tcp_con_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"


      # - Skip if no interface is given
      # -
      if [[ -z "${_val_arr[3]}" ]] ; then
         no_if_for_ip_arr+=("${_val_arr[1]}")
         continue
      fi
      $ipt -t nat -A POSTROUTING -o ${_val_arr[3]} -p tcp -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j MASQUERADE
   done
fi

#echo_done # Flushing firewall iptable (IPv4)..
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
   echo_warning
   for _ip in ${no_if_for_ip_arr[@]} ; do
      warn "Masquerading for ip '$_ip' was omitted - No idestination interface present!"
   done
else
   echo_done
fi
echo


# -------------
# - Log given IP Addresses
# -------------

echononl "\tLog given IP Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${log_ip_arr[@]} ; do
      $ipt -A INPUT -s $_ip -j LOG --log-prefix "IPv4: $_ip IN: " --log-level $log_level
      $ipt -A OUTPUT -d $_ip -j LOG --log-prefix "IPv4: $_ip OUT: " --log-level $log_level
      $ipt -A FORWARD -s $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD FROM: " --log-level $log_level
      $ipt -A FORWARD -d $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD TO: " --log-level $log_level
   done

   echo_done
else
   echo_skipped
fi


# -------------
# --- Stopping firewall if only flushing was requested (parameter flush)
# -------------

case $1 in
   flush)
      warn No firewall rules are active!
      exit 0;;
esac


# ---
# - Stop here, if no extern interface is configured
# ---

if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then
   fatal "No extern Interface is configured!"
fi



# -------------
# --- Traffic Shaping
# -------------

echo ""
if $terminal ; then
   echononl "\033[37m\033[1m\tStarting outbound shaping...\033[m"
else
   echo -n "Starting outbound shaping"
fi

if $TRAFFIC_SHAPING  && [[ -n "$TC_DEV" ]] ; then

   tc=$(which tc)

   if [[ -z "$tc" ]]; then
      echo_skipped
      warn "'tc'-programm not found. Outbound shaping was ommitted!"
   else

      ## - Löschen aller Klassen für $TC_DEV und der Filterregeln
      ## -
      $tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null
      $ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null
      $ipt -t mangle -F MYSHAPER-OUT 
      $ipt -t mangle -X MYSHAPER-OUT


      # add HTB root qdisc
      $tc qdisc add dev $TC_DEV root handle 1:0 htb default 26

      # add main rate limit class(es)
      $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit 

      # create fair-share-classes, descending priority 
      $tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0
      $tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1
      $tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2
      $tc class add dev $TC_DEV parent 1:1 classid 1:23 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 3
      $tc class add dev $TC_DEV parent 1:1 classid 1:24 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 4
      $tc class add dev $TC_DEV parent 1:1 classid 1:25 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 5
      $tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6


      # attach qdisc to leaf classes 
      #
      #    here we at SFQ to each priority class.  SFQ insures that
      #    within each class connections will be treated (almost) fairly.
      $tc qdisc add dev $TC_DEV parent 1:20 handle 20: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:21 handle 21: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:22 handle 22: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:23 handle 23: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:24 handle 24: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:25 handle 25: sfq perturb 10
      $tc qdisc add dev $TC_DEV parent 1:26 handle 26: sfq perturb 10


      # filter traffic into classes by fwmark
      #
      #    here we direct traffic into priority class according to
      #    the fwmark set on the packet (we set fwmark with iptables
      #    later).  Note that above we've set the default priority
      #    class to 1:26 so unmarked packets (or packets marked with
      #    unfamiliar IDs) will be defaulted to the lowest priority
      #    class.
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25
      $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26


      # add MYSHAPER-OUT chain to the mangle table in iptables
      #
      #    this sets up the table we'll use
      #    to filter and mark packets.
      $ipt -t mangle -N MYSHAPER-OUT
      $ipt -t mangle -I POSTROUTING -o $TC_DEV -j MYSHAPER-OUT


      # add fwmark entries to classify different types of traffic
      #
      #    Set fwmark from 20-26 according to
      #    desired class. 20 is highest prio.

      # mark 20 - high prio 0
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 20
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20
      $ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN

      # mark 21 - high prio 1 
      #    - DNS Service
      $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21
      $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN

      # mark 22 - high prio 2
      #    - VoIP SIP (sip ports, rtp ports, stun ports(3478))
      $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j RETURN

      # mark 23 - prio 3
      #    - OpenVPN
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23
      $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN
      $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 
      $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN

      # mark 24 - prio 4
      #    - WWW
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j MARK --set-mark 24
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j RETURN


      # mark 25 - prio 5
      #    - Mailtraffic
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j MARK --set-mark 25
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j RETURN


      # Remaining packets are marked according to TOS
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark 22
      $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark 25
      # redundant- mark any unmarked packets as 26 (low prio)
      $ipt -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26

      echo_done
   fi
else
   echo_skipped
fi



# ---
# - Provide (Telekom) IP TV
# ---

echo
echononl "\tProvide (Telekom) Internet TV"

if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then

   # - Telekom VDSL - Rules for IPTV 
   # -
   $ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT
   #$ipt -A INPUT -i $tv_local_if -p igmp -j DROP

   $ipt -A FORWARD -s $tv_ip -j ACCEPT
   $ipt -A FORWARD -d $tv_ip -j ACCEPT

   $ipt -A FORWARD -i $tv_ip -j ACCEPT
   $ipt -A FORWARD -o $tv_ip -j ACCEPT


   # - Forward all networks defined defind by igmpproxy
   # - (see: phyint eth2.8 upstream  ratelimit 0  threshold 1)
   #
   #$ipt -A FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT
   #$ipt -A FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT
   #$ipt -A FORWARD -s 239.35.100.6/24 -d 224.0.0.0/4 -j ACCEPT
   #$ipt -A FORWARD -s 93.230.64.0/19 -d 224.0.0.0/4 -j ACCEPT
   $ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT
   $ipt -A FORWARD -s 224.0.0.0/4 -j ACCEPT

   $ipt -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
   $ipt -A INPUT -d 224.0.0.0/4 -j ACCEPT

   $ipt -A INPUT -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT
   $ipt -A INPUT -i $tv_local_if -d 224.0.0.0/4 -j ACCEPT
   $ipt -A OUTPUT -o $tv_extern_if -d 224.0.0.0/4 -j ACCEPT
   $ipt -A OUTPUT -o $tv_local_if -d 224.0.0.0/4 -j ACCEPT

   #$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT
   $ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT
   $ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT
   
   echo_done
else
   echo_skipped
fi



# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------

if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
   echononl "\tPass through Devices (not firewalled)"
   for _dev in ${unprotected_if_arr[@]} ; do
      if $log_unprotected || $log_all ; then
         $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
            $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
         fi
      fi
      $ipt -A INPUT -i $_dev -j ACCEPT
      $ipt -A OUTPUT -o $_dev -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -j ACCEPT
         $ipt -A FORWARD -o $_dev -j ACCEPT
      fi
   done
   echo_done
fi



# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."


# ---
# - Block IPs
# ---

for _ip in $blocked_ips ; do
   for _dev in ${ext_if_arr[@]} ; do
      if $log_blocked_ip || $log_all ; then
         $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
         fi
      fi
      $ipt -A INPUT -i $_dev -s $_ip -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -s $_ip -j DROP
      fi
   done
done


# ---
# - Block Interfaces
# ---

for _if in ${blocked_if_arr[@]} ; do
   if $log_blocked_if || $log_all ; then
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
         $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
      fi
      $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
      $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
   fi
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -i $_if -j DROP
      $ipt -A FORWARD -o $_if -j DROP
   fi
   $ipt -A INPUT -i $_if -j DROP
   $ipt -A OUTPUT -o $_if -j DROP
done

echo_done # Block IPs / Networks / Interfaces..



# ---
# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
# ---

echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."

if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then

   declare -a octets
   declare -i index

   while IFS='' read -r _line || [[ -n $_line ]] ; do

      is_valid_ipv4=true
      is_valid_mask=true
      ipv4=""
      mask=""
      
      # Ignore comment lines
      #
      [[ $_line =~ ^[[:space:]]{0,}# ]] && continue

      # Ignore blank lines
      #
      [[ $_line =~ ^[[:space:]]*$ ]] && continue

      # Remove leading whitespace characters
      #
      _line="${_line#"${_line%%[![:space:]]*}"}"


      # Catch IPv4 Address
      #
      given_ipv4="$(echo  $_line | cut -d ' ' -f1)"


      # Splitt Ipv4 address from possible given CIDR number
      #
      IFS='/' read -ra _addr <<< "$given_ipv4"
      _ipv4="${_addr[0]}"

      if [[ -n "${_addr[1]}" ]] ; then
         _mask="${_addr[1]}"
         test_netmask=false

         # Is 'mask' a valid CIDR number? If not, test agains a valid netmask
         #
         if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then

            # Its not a vaild mask number, but naybe a valit netmask.
            # 
            test_netmask=true
         else
            if [[ $_mask -gt 32 ]]; then

               # Its not a vaild cidr number, but naybe a valit netmask.
               # 
               test_netmask=true
            else

               # OK, we have a vaild cidr number between '0' and '32'
               #
               mask=$_mask
            fi
         fi

         # Test if given '_mask' is a valid netmask.
         #
         if $test_netmask ; then
            octets=( ${_mask//\./ } )

            # Complete netmask if necessary
            #
            while [[ ${#octets[@]} -lt 4 ]]; do
               octets+=(0)
            done

            [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false

            index=0
            for octet in ${octets[@]} ; do
               if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
                  if [[ $octet -gt 255 ]] ; then
                     is_valid_mask=false
                  fi
                  if [[ $index -gt 0 ]] ; then
                     mask="${mask}.${octet}"
                  else
                     mask="${octet}"
                  fi
                  
               else
                  is_valid_mask=false
               fi

               ((index++))
            done
         fi

         adjust_mask=false
      else
         mask=32
         adjust_mask=true
      fi

      # Splitt given address into their octets
      #
      octets=( ${_ipv4//\./ } )

      # Complete IPv4 address if necessary
      #
      while [[ ${#octets[@]} -lt 4 ]]; do
         octets+=(0)

         # Only adjust CIDR number if not given
         #
         if $adjust_mask ; then
            mask="$(expr $mask - 8)"
         fi
      done

      # Pre-check if given IPv4 Address seems to be a valid address
      #
      [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false

      # Check if given IPv4 Address is a valid address
      #
      if $is_valid_ipv4 ; then
         index=0
         for octet in ${octets[@]} ; do
            if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
               if [[ $octet -gt 255 ]] ; then
                  is_valid_ipv4=false
               fi
               if [[ $index -gt 0 ]] ; then
                  ipv4="${ipv4}.${octet}"
               else
                  ipv4="${octet}"
               fi
               
            else
               is_valid_ipv4=false
            fi

            ((index++))
         done
      fi

      if $is_valid_ipv4 && $is_valid_mask; then

         _ip="${ipv4}/${mask}"

         for _dev in ${ext_if_arr[@]} ; do
            if $log_blocked_ip || $log_all ; then
               $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
               if $kernel_activate_forwarding ; then
                  $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
               fi
            fi
            $ipt -A INPUT -i $_dev -s $_ip -j DROP
            if $kernel_activate_forwarding ; then
               $ipt -A FORWARD -i $_dev -s $_ip -j DROP
            fi
         done


      else
         msg="$msg '${given_ipv4}'"
      fi

   done < "${ipt_conf_dir}/ban_ipv4.list"
   echo_done

   if [[ -n "$msg" ]]; then
      warn "Ignored:$msg"
   fi
else
   echo_skipped
fi


# ---
# - Allow Forwarding certain private Addresses
# ---

echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${forward_private_ip_arr[@]}; do
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -d $_ip -j ACCEPT
         $ipt -A FORWARD -s $_ip -j ACCEPT
         echo_done
      else
         echo_skipped
      fi
   done
else
   echo_skipped
fi


# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."

if $protect_against_several_attacks ; then

   # ---
   # - Protection against syn-flooding
   # ---

   $ipt -N syn-flood
   $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
   if $log_syn_flood || $log_all ; then
      $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
   fi
   $ipt -A syn-flood -j DROP


   # ---
   # - Drop Fragments
   # ---

   # I have to say that fragments scare me more than anything.
   # Sending lots of non-first fragments was what allowed Jolt2  to effectively "drown"
   # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
   # fragments is very OS-dependent (see this paper for details).
   # I am not going to trust any fragments.
   # Log fragments just to see if we get any, and deny them too

   for _dev in ${ext_if_arr[@]} ; do
      if $log_fragments || $log_all ; then
         $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level
         fi
      fi
      $ipt -A INPUT -i $_dev -f -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -f -j DROP
      fi
   done


   # ---
   # - drop new packages without syn flag
   # ---

   #if $log_new_not_sync || $log_all  ; then
   #   $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j  LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   #   $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   #   if $kernel_activate_forwarding ; then
   #      $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
   #   fi
   #fi
   #$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
   #$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
   #if $kernel_activate_forwarding ; then
   #   $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
   #fi


   # ---
   # - drop invalid packages
   # ---

   #if $log_invalid_state || $log_all  ; then
   #   $ipt -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
   #   if $kernel_activate_forwarding ; then
   #      $ipt -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
   #   fi
   #fi
   #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
   #if $kernel_activate_forwarding ; then
   #   $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP
   #fi


   # ---
   # - ungewöhnliche Flags verwerfen
   # ---

   for _dev in ${ext_if_arr[@]} ; do
      if $log_invalid_flags || $log_all ; then
         $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
         fi
      fi
      $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
      $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
      $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
         $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
         $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
      fi
   done


   # ---
   # - Refuse private addresses on extern interfaces
   # ---

   # Refuse packets claiming to be from a 
   #   Class A private network
   #   Class B private network
   #   Class C private network
   #   loopback interface
   #   Class D multicast address
   #   Class E reserved IP address
   #   broadcast address
   for _dev in ${dsl_device_arr[@]} ; do
      if $log_spoofed || $log_all ; then
         $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level
         $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level
         $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level
         $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level
         $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level
         $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level
         #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level
         #
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level
            $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level
            #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level
         fi
      fi
      # Refuse packets claiming to be from a Class A private network.
      $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
      # Refuse packets claiming to be from a Class B private network.
      $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
      # Retfuse packets claiming to be from a Class C private network.
      $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
      # Refuse packets claiming to be from loopback interface.
      $ipt -A INPUT -i $_dev -s $loopback -j DROP
      # Refuse Class D multicast addresses. Multicast is illegal as a source address.
      $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
      # Refuse Class E reserved IP addresses.
      $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
      # Refuse broadcast address packets.
      #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
      if $kernel_activate_forwarding ; then
         # Refuse packets claiming to be from a Class A private network.
         $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
         # Refuse packets claiming to be from a Class B private network.
         $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
         # Refuse packets claiming to be from a Class C private network.
         $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
         # Refuse packets claiming to be from loopback interface.
         $ipt -A FORWARD -i $_dev -s $loopback -j DROP
         # Refuse Class D multicast addresses. Multicast is illegal as a source address.
         $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
         # Refuse Class E reserved IP addresses.
         $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
         # Refuse broadcast address packets.
         #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
      fi
   done


   # ---
   # - Refuse packets claiming to be to the loopback interface.
   # ---

   # Refusing packets claiming to be to the loopback interface protects against
   # source quench, whereby a machine can be told to slow itself down by an icmp source
   # quench to the loopback.
   for _dev in ${ext_if_arr[@]} ; do
      if $log_to_lo || $log_all ; then
         $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level
         fi
      fi
      $ipt -A INPUT -i $_dev -d $loopback -j DROP
      if $kernel_activate_forwarding  ; then
         $ipt -A FORWARD -i $_dev -d $loopback -j DROP
      fi
   done


   # ---
   # - Don't allow spoofing from that server
   # ---

   for _dev in ${dsl_device_arr[@]} ; do
      if $log_spoofed_out || $log_all ; then
         $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level
         $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level
         $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level
         $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level
      fi
      $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
      $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
      $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
      $ipt -A OUTPUT -o $_dev -s $loopback -j DROP
   done

   echo_done
else
   echo_skipped
fi


# -------------
# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]})
# -------------

if $log_voip || $log_all ; then
   for _ip in ${tel_sys_ip_arr[@]} ; do
      $ipt -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
   done
fi
#for _PORT in ${VOIP_PORTS} ; do
#   $ipt -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
#done


# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------


case $1 in
   sto*)
      echo
      if $terminal ; then
         echo -e "\t\033[37m\033[1mStop was requested. No more firewall rules..\033[m"
      else
         echo "Stop was requested. No more firewall rules.."
      fi
      echo
      exit 0;;
esac


echo


# -------------
# - suricata IPS (Inline Mode)
# -------------

# - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu'
# -
echononl "\tForward to suricata IPS (inline Mode)"
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then 
   $ipt -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3
   echo_done
else
   echo_skipped
fi

echo


# -------------
# --- iPerf
# -------------

# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. 
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, 
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.

echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
   $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT
   $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT
   #
   $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT
   $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT
      $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT
   fi
   echo_done
else
   echo_skipped
fi


# ---
# - Drop packets not wanted on gateway
# ---

echononl "\tDrop packets not wanted on gateway"

for _dev in ${local_if_arr[@]} ; do
   if $log_not_wanted || $log_all ; then
      if $not_wanted_ident ; then
         $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
      fi
      for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
      done
      for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
      done
   fi
   if $not_wanted_ident ; then
      $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset 
   fi
   for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
      $ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP
   done
   for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
      $ipt -A INPUT -i $_dev -p udp --dport $_port -j DROP
   done
done

echo_done


# -------------
# --- Generally prohibited from WAN
# -------------

echononl "\tGenerally prohibited from WAN"

for _dev in ${ext_if_arr[@]} ; do
   if $log_prohibited || $log_all ; then
      if $block_ident ; then
         $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
      fi
      for _port in ${block_tcp_port_arr[@]} ; do
         $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
      done
      if $kernel_activate_forwarding ; then
         if $block_ident ; then
            $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
         fi
         for _port in ${block_tcp_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
         done
         for _port in ${block_udp_port_arr[@]} ; do
            $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
         done
      fi
   fi
   if $block_ident ; then
       $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
   fi
   for _port in ${block_tcp_port_arr[@]} ; do
      $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP
   done
   for _port in ${block_udp_port_arr[@]} ; do
      $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP
   done
   if $kernel_activate_forwarding ; then
      if $block_ident ; then
         $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
      fi
      for _port in ${block_tcp_port_arr[@]} ; do
         $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP
      done
   fi
done

echo_done
echo


# -------------
# --- Traffic generally allowed
# -------------

echononl "\tLoopback device generally allowed.."

# ---
# - Loopback device
# ---

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

echo_done


# ---
# - Allow all Traffic from source mac-address
# ---

echononl "\tAllow all Traffic from MAC Source-Address"

if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then
   for _mac in ${allow_all_mac_src_address_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT
         fi
      done 
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Allow local Traffic from source mac-address
# ---

echononl "\tAllow local Traffic from MAC Source-Address"


if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then
   for _mac in ${allow_local_mac_src_address_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
         fi
      done 
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Allow remote Traffic from source mac-address
# ---

echononl "\tAllow remote Traffic from MAC Source-Address"


if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then
   for _mac in ${allow_remote_mac_src_address_arr[@]} ; do
      for _dev in ${ext_if_arr[@]} ; do
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
         fi
      done 
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Already established connections
# ---

echononl "\tAccept already established connections.."

$ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
if $kernel_activate_forwarding ; then
   $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
fi

echo_done


# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
   $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      for _local_dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
      done
   fi
done
echo_done



# ---
# - Telefon Systems
# ---

echononl "\tAllow all Traffic between Telefon Systems"
if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then
   for _ip_1 in ${tele_sys_ip_arr[@]} ; do
      for _ip_2 in ${tele_sys_ip_arr[@]} ; do
         #[[ "$_ip_1" = "$_ip_2" ]] && continue
         $ipt -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Telefon Systems to remote SIP-Server
# ---

echononl "\tTelefon System to remote SIP-Server"
if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then
   if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then
      echo_failed
      warn "Local or remote SIP Port not given"!
   else
      for _ip in ${tele_sys_ip_arr[@]} ; do
         $ipt -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \
            --dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi
   echo_done
else
   echo_skipped
fi



# ---
# - All request from local networks to the internet
# ---

echononl "\tPermit all traffic from local networks to the internet.."
if $permit_local_net_to_inet ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Networks not firewalled through extern interfaces
# ---

echononl "\tAllow these local networks any access to the internet"
if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding \
      && ! $permit_local_net_to_inet ; then

   for _net in ${any_access_to_inet_network_arr[@]}; do
      for _dev in ${ext_if_arr[@]} ; do
         $ipt -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


echononl "\tAllow these local networks any access from the internet"
if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   _found=false
   for _net in ${any_access_from_inet_network_arr[@]}; do
      for _dev in ${ext_if_arr[@]} ; do

         # - Traffic recieved on natted interfaces will be ommitted!
         # -
         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
            continue
         else
            _found=true
         fi

         $ipt -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   if $_found ; then
      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi



# ---
# - Allow local services from given extern networks
# ---

echononl "\tAllow local services from given extern networks"
if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   _found=false
   for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      for _dev in ${ext_if_arr[@]} ; do

         if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then
            $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
         fi

         # - Traffic recieved on natted interfaces will be ommitted!
         # -
         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
            continue
         else
            _found=true
         fi

         $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      done

   done

   if $_found ; then
      echo_done
   else
      echo_skipped
   fi
   
else
   echo_skipped
fi



# ---
# - Allow all traffic from extern address/network to local address/network
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tAllow all traffic from extern to local network/address"

if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   _found=false
   for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      for _dev in ${ext_if_arr[@]} ; do

         # - Traffic recieved on natted interfaces will be ommitted!
         # -
         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
            continue
         else
            _found=true
         fi

         $ipt -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      done
   done

   if $_found ; then
      echo_done
   else
      echo_skipped
   fi

else
   echo_skipped
fi



# ---
# - Block all extern traffic to (given) local network
# ---

echononl "\tBlock all extern traffic to (given) local network"
if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   _found=false
   for _net in ${block_all_ext_to_local_net_arr[@]} ; do
      for _dev in ${ext_if_arr[@]} ; do

         # - Traffic recieved on natted interfaces will be ommitted!
         # -
         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
            continue
         else
            _found=true
         fi

         $ipt -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP

      done
   done

   if $_found ; then
      echo_done
   else
      echo_skipped
   fi

else
   echo_skipped
fi



# ---
# - Allow local services from given local networks
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tAllow local services from given local networks"
if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in "${allow_local_net_to_local_service_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         if [[ "${_val_arr[3]}" = "tcp" ]]; then
            $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
         fi
      fi
   done
   
   echo_done
else
   echo_skipped
fi



# ---
# - Allow all traffic from local network to local ip-address
# ---

echononl "\tAllow all traffic from local network to local ip-address"

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_net_to_local_ip_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_ok
else
   echo_skipped
fi



# ---
# - Allow all traffic from local ip-address to local network
# ---

echononl "\tAllow all traffic from local ip-address to local network"

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_ip_to_local_net_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_ok
else
   echo_skipped
fi



# ---
# - Allow all traffic from (one) local network to (another) local network
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tAllow all traffic from local network to (another) local network"

if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_net_to_local_net_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_ok
else
   echo_skipped
fi




# ---
# - Allow local ip address from given local interface
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tAllow local ip address from given local interface"

if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_if_to_local_ip_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_ok
else
   echo_skipped
fi



# ---
# - Allow extern service from given local interface
# ---

echononl "\tAllow extern service from given local interface"

if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in "${allow_local_if_to_ext_service_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         if [[ "${_val_arr[3]}" = "tcp" ]]; then
            $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         fi
      fi
   done

   echo_done
else
   echo_skipped
fi



# ---
# - Allow extern network from given local interface
# ---

echononl "\tAllow extern network from given local interface"

if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_if_to_ext_net_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi



# ---
# - Allow extern service from given local network
# ---

echononl "\tAllow extern service from given local network"
if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         if [[ "${_val_arr[3]}" = "tcp" ]]; then
            $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
         fi
      fi
   done
   
   echo_done
else
   echo_skipped
fi



# ---
# - Allow extern network from given local network
# ---

echononl "\tAllow extern network from given local network"
if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding ; then

   for _val in ${allow_local_net_to_ext_net_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi



# ---
# - Separate local networks
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tSeparate local networks.."

if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _net in ${separate_local_network_arr[@]}; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -o $_dev -p all -s $_net -j DROP
      done
   done
   echo_done
else
   echo_skipped
fi



# ---
# - Separate local interfaces
# ---

# - !! Note:
# -    does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tSeparate local interfaces.."

if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _dev_1 in ${separate_local_if_arr[@]}; do
      for _dev_2 in ${local_if_arr[@]} ; do
         [[ "$_dev_1" = "$_dev_2" ]] && continue
         $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP
         $ipt -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Permit all traffic between local networks
# ---

echononl "\tPermit all traffic between local networks.."
if $kernel_activate_forwarding ; then
   if $permit_between_local_networks ; then
      for _dev_1 in ${local_if_arr[@]} ; do
         for _dev_2 in ${local_if_arr[@]} ; do

            # - Notice:
            # - In case of routing multiple netwoks on the same interface or 
            # - using alias interfaces like eth0:0, you need a rule with
            # - incomming- and outgoing interface are equal!
            # -
            # - So DON'T add statement like this:
            # -    [[ "$_dev_2" = "$_dev_1" ]] && continue
            # -
            $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT

            # - Note:
            # - If (local) alias interfaces like eth1:0 in use, youe need a further
            # - special rule.
            # -
            if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
               $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT
            fi

         done
      done
      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi



# -------------
# --- Services
# -------------

echo
if $terminal ; then
   echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
else
   echo "Add Rules for Services.."
fi


# ---
# - IPv6 over IPv4 (Tunnel Provider SixXS)
# ---

echononl "\t\tIPv6 Tunnel SixXS"
if $local_sixxs_service ; then
   if [ -n "$tic_server" -a -n "$six_pop_server" ]; then
      # TIC (tunnel information & control) packages, from/to tic.sixxs.net
      $ipt -A OUTPUT -p tcp -d $tic_server --dport 3874 -m conntrack --ctstate NEW -j ACCEPT

      # heartbeat packets (outgoing only)
      $ipt -A OUTPUT -p udp -d $six_pop_server --dport 3740 -m conntrack --ctstate NEW -j ACCEPT

      # 6over4 tunnel packets
      $ipt -A OUTPUT -p 41 -d $six_pop_server -j ACCEPT
      $ipt -A INPUT -p 41 -d $six_pop_server -j ACCEPT

      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi


# ---
# - DHCP
# ---

echononl "\t\tLocal DHCP Client"

if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then
   for _dev in ${dhcp_client_interfaces_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT
      $ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT
   done

   echo_done
else
   echo_skipped
fi


echononl "\t\tDHCP"

if $local_dhcp_service ; then
   # - Allow requests from intern networks
   for _dev in ${local_if_arr[@]} ; do
      # - in
      $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
      # - out
      $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - DHCP Failover
# ---

echononl "\t\tDHCP Failover Server"
if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${dhcp_failover_server_ip_arr[@]} ; do
      $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - DNS out only
# ---

echononl "\t\tDNS out only"

# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
   # - out from local and virtual mashine(s)
   $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

   # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
   if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
      # - forward from virtual mashine(s)
      $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - DNS Service Gateway
# ---

echononl "\t\tDNS Service Gateway"

# - Local Nameservice
# -
if $local_dns_service ; then

   # dns requests 
   #
   # Note:
   #    If the total size of the DNS record is larger than 512 bytes, 
   #    it will be sent over TCP, not UDP.
   #

   # - Allow requests from local networks
   # -
   for _dev in ${local_if_arr[@]} ; do
      # - in
      $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
   done

   # - Zonetransfere (uses tcp/53)
   # 
   for _ip in ${dns_server_ips[@]} ; do
      # - out
      # -
      # - local master (here) gets request for a zone from slave ($_ip)
      $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT

      # - in
      # -
      # - local slave (here) requests zone from master ($_ip)
      $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
   done

   echo_done
else 
   echo_skipped
fi


# ---
# - DNS Services at local Network
# ---

echononl "\t\tDNS Service local Network"

# - Make nameservers at the local network area rechable for all
# -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then

   # dns requests 
   #
   # Note:
   #    If the total size of the DNS record is larger than 512 bytes, 
   #    it will be sent over TCP, not UDP.
   #

   for _ip in ${dns_server_ip_arr[@]} ; do
      $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   done

   echo_done
else
   echo_skipped
fi



# ---
# - SSH out only
# ---

echononl "\t\tSSH out only"

if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then
   # - Provide SSH to everywhere (also LAN)
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   for _dev in ${local_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
   done

   echo_done
else
   echo_skipped
fi


# ---
# - SSH Service Gateway
# ---

echononl "\t\tSSH Service Gateway (also from WAN)"

if $local_ssh_service ; then
   # - Provides SSH in from everywhere
   for _port in ${ssh_port_arr[@]} ; do
      $ipt -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - SSH Services only local Network
# ---

echononl "\t\tSSH Services only local Network"

if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
      for _port in ${ssh_port_arr[@]} ; do

         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

         if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
            for _dev in ${local_if_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
            done
         fi

         # - Note:
         # - If (local) alias interfaces like eth1:0 in use, youe need a further
         # - special rule.
         # -
         if $kernel_activate_forwarding && $local_alias_interfaces ; then
            $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
         fi

      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - SSH Services DMZ
# ---

echononl "\t\tSSH Services DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then
   for _ip in "${!ssh_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      for _port in ${ssh_port_arr[@]} ; do

         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

         if $kernel_activate_forwarding ; then

            # - Nat if interface is on a dsl line
            # -
            if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
            $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
         fi

         # - From intern
         if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
            for _dev in ${local_if_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT
            done
         fi

         # - Rule is needed if (local) interface aliases in use (like eth0:1)
         # -
         if $kernel_activate_forwarding && $local_alias_interfaces ; then
            for _port in ${ssh_port_arr[@]} ; do
               $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
               $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
            done
         fi

      done

   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - SSH Service between local Netwotks
# ---

echononl "\t\tSSH Service between local Netwotks"
if $allow_ssh_between_local_nets ; then
   if $kernel_activate_forwarding ; then
      for _dev_1 in ${local_if_arr[@]} ; do

         for _port in ${ssh_port_arr[@]} ; do
            $ipt -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

         for _dev_2 in ${local_if_arr[@]} ; do

            if ! $permit_between_local_networks ; then
               # - Notice:
               # - In case of routing multiple netwoks on the same interface or 
               # - using alias interfaces like eth0:0, you need a rule with
               # - incomming- and outgoing interface are equal!
               # -
               # - So DON'T add statement like this:
               # -    [[ "$_dev_2" = "$_dev_1" ]] && continue
               # -
               for _port in ${ssh_port_arr[@]} ; do
                  $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
               done
            fi

            # - Note:
            # - If (local) alias interfaces like eth1:0 in use, youe need a further
            # - special rule.
            # -
            if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
               for _port in ${ssh_port_arr[@]} ; do
                  $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT
                  $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT
               done
            fi
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Cisco kompartibles VPN (FRITZ!Box)
# ---

echononl "\t\tCisco VPN Service (FRITZ\!Box) only out"

if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then
   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${cisco_vpn_out_port_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
            $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         fi
      done
   done

   for _vpn_if in ${vpn_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - VPN Service only out
# ---

echononl "\t\tVPN Service only out"

if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then
   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${vpn_out_port_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
            $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         fi
      done
   done

   for _vpn_if in ${vpn_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - VPN Service Gateway
# ---

echononl "\t\tVPN Service Gateway"

if $local_vpn_service ; then

   # - Cconnection establishment
   # -
   for _port in ${vpn_gw_port_arr[@]} ; do
      $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done

else
   echo_skipped
fi


# ---
# - VPN Service DMZ
# ---

echononl "\t\tVPN Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _ip in ${!vpn_server_dmz_arr[@]} ; do

      # - Skip if no interface is given
      # -
      if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      for _port in ${vpn_local_net_port_arr[@]} ; do
         $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

         # - Nat if interface is on a dsl line
         # -
         if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port
         fi
      done
   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - HTTP(S) OUT
# ---

echononl "\t\tHTTP(S) out only"

if $allow_http_request_out && ! $permit_local_net_to_inet ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi



# ---
# - HTTP(S) (local) Webserver
# ---

echononl "\t\tHTTP(S) Services Gateway"
# - Access to the local Webservice
if $local_http_service ; then
   $ipt -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
   echo_done
else
   echo_skipped
fi


# ---
# - HTTP(S) Services only local Network
# ---

echononl "\t\tHTTP(S) Services only local Network"
# - Access to the Webservices (LAN)
if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${http_server_only_local_ip_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - HTTP(S) Services DMZ
# ---

echononl "\t\tHTTP(S) Services DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
   http_port_arr=(${http_ports//,/ })  
   for _ip in "${!http_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      for _port in ${http_port_arr[@]}  ; do
         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         if $kernel_activate_forwarding ; then

            # - Nat if interface is on a dsl line
            # -
            if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
            $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
         fi
      done
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Rule is needed if (local) interface aliases in use (like eth0:1)
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
      fi

   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - HTTPS Services DMZ (only port 443)
# ---

echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then
   for _ip in "${!http_ssl_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT

      # - From extern
      if $kernel_activate_forwarding ; then

         # - Nat if interface is on a dsl line
         # -
         if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port
         fi
         $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT
      fi

      # - From intern
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Rule is needed if (local) interface aliases in use (like eth0:1)
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
      fi
   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - Mail Service SMTP only out
# ---

echononl "\t\tMail Services SMTP only out"

if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then
   # - Provide SMTP out for all to WAN
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - SMTP (Relay) Service Gateway
# ---

echononl "\t\tSMTP (Relay) Service Gateway (only on local network)"
if $local_smtp_service ; then
   for _dev in ${local_if_arr[@]} ; do
      $ipt -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
   done

   echo_done
else
   echo_skipped
fi
   


# ---
# - Mail User Services smtps/pop(s)/imap(s) only out
# ---

echononl "\t\tMail Services smtps/pop(s)/imap(s) only out"

if $allow_mail_request_out && ! $permit_local_net_to_inet ; then
   # - Provide using Mailservices (WAN) from whole LAN
   # -
   # - Not needed from local machine. But for testing pupose (i.e. telnet <port>)
   # -
   # - 
   for _dev in ${ext_if_arr[@]} ; do
      if $provide_mailservice_from_local ; then
         # - Note!
         # - this provides access both to LAN and WAN
         $ipt -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
      fi
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         for _dev in ${ext_if_arr[@]} ; do
            $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Mail Service SMTP only local Networks
# ---

echononl "\t\tMail Service SMTP only local Networks"
if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${mail_server_only_local_ip_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
      fi

      echo_done
   done
else
   echo_skipped
fi


# ---
# - Mail Services smtps/pop(s)/imap(s) only local Networks
# ---

echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks"

if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${mail_server_only_local_ip_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Mail Server DMZ
# ---

echononl "\t\tMail Server DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
   mail_port_arr=(${mail_user_ports//,/ })  
   mail_port_arr+=("$mail_smtp_port")
   for _ip in "${!mail_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      for _port in ${mail_port_arr[@]}  ; do
         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

         # - Nat if interface is on a dsl line
         # -
         if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port
         fi
         $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
      done
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
      fi
   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - FTP common
# ---
ftp_helper_output_defined=false
ftp_helper_prerouting_defined=false

# ---
# - FTP out only
# ---

echononl "\t\tFTP out only"

if $allow_ftp_request_out ; then

   # - Used for different ftpdata recent lists 'ftpdata_$i'
   # -
   declare -i i=1

   if ! $ftp_helper_output_defined ; then
      $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
      ftp_helper_output_defined=true
   fi
   if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then
      $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
      ftp_helper_prerouting_defined=true
   fi

   for _dev in ${ext_if_arr[@]} ; do

      # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
      # -
      $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT

      # - (2)
      # -    - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
      # -      and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
      # -
      # -    - If matched, the "last seen" timestamp of the destination address will be updated (--update).
      # -
      # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
      # -
      $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
         -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT

      ((i++))

      # - Accept (helper ftp) related connections
      # -
      $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
      $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT

      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then

			# =====
         # -
         # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
         # - ======================================================
         # -
         # - Workaround:
         # -    (1) add (!) desitnatin ip to a 'recent list' named 'ftpdata_$i!  if ftp control connections appear
         # -    (2) accept packets of the formaly created recent list 'ftpdata_$i!
         # -
			# - Note:
			# -    Use flag '--rdest' to match destination address
			# -
         # =====

			# - (1)
         # -
         # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
         # -
         $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \
            -m recent --name ftpdata_$i --rdest --set -j ACCEPT

         # - (2)
         # -    - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
         # -      and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
         # -
         # -    - If matched, the "last seen" timestamp of the destination address will be updated (--update).
         # -
         # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
         # -
         $ipt -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \
            -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT

         ((i++))


         # - Accept (helper ftp) related connections
			# -
         $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
         $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT

      fi

   done

   echo_done
else
   echo_skipped
fi

#if $allow_ftp_request_out ; then
#   for _dev in ${ext_if_arr[@]} ; do
#      $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
#      $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      # - Allow active FTP connections from local network
#      # -
#      $ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
#      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
#            $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
#            $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      fi
#      # - Allow active FTP connections from local network
#      # -
#      $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
#   done
#
#   echo_done
#else
#   echo_done
#fi


# ---
# - FTP Service Gateway
# ---

echononl "\t\tFTP Service Gateway"

if $local_ftp_service ; then

   # =====
   # -
   # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
   # - ======================================================
   # -
   # - Workaround:
   # -    (1) add source ip to a 'recent list' named 'ftpservice!  if ftp control connections appear
   # -    (2) accept packets of the formaly created recent list 'ftpservice!
   # -
   # =====

   # - (Re)define helper
   # -
   # - !! Note: !!
   # -    for both, local FTP server (ftp_server_ip_arr) 
   # -    and forward to (extern) FTP server (forward_ftp_server_ip_arr)
   # -
   if ! $ftp_helper_prerouting_defined ; then
      $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
      ftp_helper_prerouting_defined=true
   fi

   # - (1)
   # -
   # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpservice'.
   # -
   $ipt -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpservice --set -j ACCEPT

   # - (2)
   # -    - Accept packets if the source ip-address is in the 'ftpservice' list (--update) and the
   # -      source ip-address was seen within the last 1800 seconds (--seconds 1800).
   # -
   # -    - If matched, the "last seen" timestamp of the source address will be updated (--update).
   # -
   # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
   # - 
   $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
      -m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT

   # - Accept (helper ftp) related connections
   # -
   $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT

   echo_done
else
   echo_skipped
fi


# ---
# - FTP Services only local Network
# ---

echononl "\t\tFTP Service local Networks"

if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] &&  $kernel_activate_forwarding ; then

   # - Used for different ftpdata recent lists 'ftpdata_local_$k'
   # -
   declare -i k=1

   # - (Re)define helper
   # -
   if ! $ftp_helper_output_defined ; then
      $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
      ftp_helper_output_defined=true
   fi
   if $kernel_activate_forwarding && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then
      $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
      ftp_helper_prerouting_defined=true
   fi

   for _ip in ${ftp_server_only_local_ip_arr[@]} ; do

      # - (1)
      # -
      # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
      # -
      $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \
         -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT

		$ipt -A FORWARD -d $_ip -p tcp --dport 21 -m state --state NEW \
			-m recent --name ftpdata_local_$k --rdest --set -j ACCEPT

      # - (2)
      # -    - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
      # -      and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
      # -
      # -    - If matched, the "last seen" timestamp of the destination address will be updated (--update).
      # -
      # -    - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
      # -
      $ipt -A OUTPUT -d $_ip -p tcp -m state --state NEW --dport 1024: \
         -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT

      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
		   $ipt -A FORWARD -d $_ip -p tcp -m state --state NEW --dport 1024: \
            -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT
      fi

      ((k++))

      # - Accept (helper ftp) related connections
      # -
      $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
      $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT

      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
		   $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT
		   $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT
      fi

   done
      
   echo_done
else
   echo_skipped
fi



#echononl "\t\tFTP Service local Networks"
#if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] &&  $kernel_activate_forwarding ; then
#   for _ip in ${ftp_server_only_local_ip_arr[@]} ; do
#      $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#
#      if ! $permit_between_local_networks ; then
#         $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      fi
#
#      if $local_alias_interfaces ; then
#         # - Control Port
#         $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT
#         $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT
#         # - Data Port activ
#         $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT
#         $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT
#         # - Data Port passiv
#         $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT
#      fi
#   done
#
#   echo_done
#else
#   echo_skipped
#fi


# ---
# - FTP Services DMZ
# ---

echononl "\t\tFTP Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then
   IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}"
   for _ip in "${!ftp_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT

      # - From extern
      if $kernel_activate_forwarding ; then 
         $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT

         # - Nat if interface is on a dsl line
         # -
         if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]}
         fi
      fi

      # - From intern
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Rule is needed if (local) interface aliases in use (like eth0:1)
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then

         # - Control Port
         $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT
         # - Data Port activ
         $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT
         # - Data Port passiv
         $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT

      fi
   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi
   

# ---
# - TFTF Service out only
# ---

echononl "\t\tTFTF Service out only"

if $allow_tftp_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port  -m conntrack --ctstate NEW -j ACCEPT
   done

   if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
      $ipt -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port  -m conntrack --ctstate NEW -j ACCEPT
   fi
   echo_done
else
   echo_skipped
fi


# ---
# - TFTP Service Gateway
# ---

echononl "\t\tTFTF Service Gateway"

if $local_tftp_service ; then
   $ipt -A INPUT -p udp --dport $tftp_udp_port  -m conntrack --ctstate NEW -j ACCEPT
   echo_done
else
   echo_skipped
fi


# ---
# - Samba Service only out
# ---

echononl "\t\tSamba Service only out"

if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then
   for _dev in ${ext_if_arr[@]} ; do

      for _port in ${samba_udp_ports[@]} ; do
         $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      for _port in ${samba_tcp_ports[@]} ; do
         $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done

      if $kernel_activate_forwarding ; then
         
         for _port in ${samba_udp_ports[@]} ; do
            $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         for _port in ${samba_tcp_ports[@]} ; do
            $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Samba Service Gateway (only for local Networks)
# ---

echononl "\t\tSamba Service Gateway (only for local Networks)"

if $local_samba_service ; then
   for _dev in ${local_if_arr[@]} ; do
      for _port in ${samba_udp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      for _port in ${samba_tcp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Samba Service only between local Networks
# ---

echononl "\t\tSamba Service only local Networks"

if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then
   for _dev in ${local_if_arr[@]} ; do
      for _ip in ${samba_server_local_ip_arr[@]} ; do
         for _port in ${samba_udp_port_arr[@]} ; do
            $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         for _port in ${samba_tcp_port_arr[@]} ; do
            $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         if $kernel_activate_forwarding && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then

            for _port in ${samba_udp_port_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            done
            for _port in ${samba_tcp_port_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            done

            # - Rule is needed if (local) interface aliases in use (like eth0:1)
            # -
            if $local_alias_interfaces ; then
               for _port in ${samba_tcp_port_arr[@]} ; do
                  $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
                  $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
               done
            fi
         fi
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Samba Service DMZ
# ---

echononl "\t\tSamba Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then
   for _ip in "${!samba_server_dmz_arr[@]}"; do

      # - Skip if no interface is given
      # -
      if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      # - From extern
      if $kernel_activate_forwarding ; then
         for _port in ${samba_udp_port_arr[@]} ; do
            $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

            # - Nat if interface is on a dsl line
            # -
            if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               IFS=':' read -a _udp_port_arr <<< ${_port}
               if [[ -n "${_udp_port_arr[1]}" ]] ; then
                  $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]}
               else
                  $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port
               fi
            fi
         done
         for _port in ${samba_tcp_port_arr[@]} ; do
            $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT

            # - Nat if interface is on a dsl line
            # -
            if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
         done
      fi

      # - From intern
      for _dev in ${local_if_arr[@]} ; do
         for _port in ${samba_udp_port_arr[@]} ; do
            $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
               $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            fi
         done
         for _port in ${samba_tcp_port_arr[@]} ; do
            $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            fi
         done

         # - Rule is needed if (local) interface aliases in use (like eth0:1)
         # -
         if $kernel_activate_forwarding && $local_alias_interfaces ; then
            for _port in ${samba_tcp_port_arr[@]} ; do
               $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
               $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
            done
         fi
      done

   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - LDAP and LDAP SSL Service Gateway (only for local Networks)
# ---

echononl "\t\tLDAP(S) Service Gateway (only for local Networks)"

if $local_ldap_service ; then
   for _dev in ${local_if_arr[@]} ; do
      for _port in ${ldap_udp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      for _port in ${ldap_tcp_port_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - LDAP and LDAP SSL Service only between local Networks
# ---

echononl "\t\tLDAP(S) Service only local Networks"

if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then
   for _dev in ${local_if_arr[@]} ; do
      for _ip in ${ldap_server_local_ip_arr[@]} ; do
         for _port in ${ldap_udp_port_arr[@]} ; do
            $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         for _port in ${ldap_tcp_port_arr[@]} ; do
            $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         if $kernel_activate_forwarding && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then

            for _port in ${ldap_udp_port_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            done
            for _port in ${ldap_tcp_port_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            done

            # - Rule is needed if (local) interface aliases in use (like eth0:1)
            # -
            if $local_alias_interfaces ; then
               for _port in ${ldap_tcp_port_arr[@]} ; do
                  $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
                  $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
               done
            fi
         fi
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - NTP out only
# ---

echononl "\t\tNTP Service out only"

if $allow_ntp_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - NTP Service Gateway
# ---

echononl "\t\tNTP Service Gateway"
if $local_ntp_service ; then
   if ! $allow_ntp_request_out ; then
      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
   fi
   $ipt -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
   echo_done
else
   echo_skipped
fi


# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---

echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"

if $allow_timeserver_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port  -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port  -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - PGP Keyserver out only
# ---

echononl "\t\tPGP Keyserver out only"

if $allow_pgpserver_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Telnet
# ---

echononl "\t\tTelnet (only OUT)"

if $allow_telnet_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Whois out only
# ---

echononl "\t\tWhois out only"

if $allow_whois_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port  -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port  -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - CPAN Wait only out
# ---

# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on 
# - a WAIT server. It connects to a WAIT server using a simple protocoll 
# - resembling NNTP as described in RFC977.

echononl "\t\tCPAN Wait only out"

if $allow_cpan_wait_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - HBCI only out (only forward)
# ---

echononl "\t\tHBCI only out (only forward)"

if $allow_hbci_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Jabber only out 
# ---

echononl "\t\tJabber only out"

if $allow_jabber_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Silc only out 
# ---

echononl "\t\tSilc only out"

if $allow_silc_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - IRC (Internet Relay Chat) only out 
# ---

echononl "\t\tIRC only out"

if $allow_irc_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - MySQL
# ---

echononl "\t\tMySQL (only OUT)"

if $allow_mysql_request_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - CUPS only between local Networks (IPP Port 631)
# ---

echononl "\t\tCUPS/IPP (Port 631) only between local Networks"

if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
   for _local_dev_1 in ${local_if_arr[@]} ; do
      for _local_dev_2 in ${local_if_arr[@]} ; do
         if ! $local_alias_interfaces ; then
            [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
         fi
         $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT
      done

      if $local_alias_interfaces ; then
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
      fi

   done
   echo_done
else
   echo_skipped
fi


# ---
# - Druck Port 9100 (RAW) only out between local Networks
# ---

echononl "\t\tRAW Druck Port 9100 only between local Networks"

if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
   for _local_dev_1 in ${local_if_arr[@]} ; do
      for _local_dev_2 in ${local_if_arr[@]} ; do
         if ! $local_alias_interfaces ; then
            [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
         fi
         $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
      done

      if $local_alias_interfaces ; then
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
      fi

   done
   echo_done
else
   echo_skipped
fi


# ---
# - Druck LPD (Port 515) only out between local Networks
# ---

echononl "\t\tDruck LPD (Port 515) only between local Networks"

if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
   for _local_dev_1 in ${local_if_arr[@]} ; do
      for _local_dev_2 in ${local_if_arr[@]} ; do
         if ! $local_alias_interfaces ; then
            [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
         fi
         $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT
      done

      if $local_alias_interfaces ; then
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
      fi

   done
   echo_done
else
   echo_skipped
fi


# ---
# - Printer
# ---

echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks"
if [[ ${#printer_ip_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding \
      && ! $permit_between_local_networks \
      && ! $allow_printing_between_local_nets ; then 
   for _ip in ${printer_ip_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT

         # - Note:
         # - If (local) alias interfaces like eth1:0 in use, youe need a further
         # - special rule.
         # -
         if $local_alias_interfaces ; then
            $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT

            $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT

            $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
         fi
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Scanner
# ---

echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks"

if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \
      && $kernel_activate_forwarding \
      && ! $permit_between_local_networks \
      && $allow_scanning_between_local_nets ; then 
   for _ip in ${brother_scanner_ip_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         # - UDP
         $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT
         # - TCP
         $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT

         # - Note:
         # - If (local) alias interfaces like eth1:0 in use, youe need a further
         # - special rule.
         # -
         if $local_alias_interfaces ; then
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT
         fi
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Special TCP Ports OUT
# ---

echononl "\t\tSpecial TCP Ports OUT"

if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then

	for _dev in ${ext_if_arr[@]} ; do
		for _port in ${tcp_out_port_arr[@]} ; do
			$ipt -A OUTPUT -o $_dev -p tcp --dport $_port  -m state --state NEW -j ACCEPT
			if $kernel_activate_forwarding ; then
				$ipt -A FORWARD -o $_dev -p tcp --dport $_port  -m state --state NEW -j ACCEPT
			fi
		done
	done

   echo_done
else
   echo_skipped
fi


# ---
# - Special UDP Ports OUT
# ---

echononl "\t\tSpecial UDP Ports OUT"

if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then

	for _dev in ${ext_if_arr[@]} ; do
		for _port in ${udp_out_port_arr[@]} ; do
			$ipt -A OUTPUT -o $_dev -p udp --dport $_port  -m state --state NEW -j ACCEPT
			if $kernel_activate_forwarding ; then
				$ipt -A FORWARD -o $_dev -p udp --dport $_port  -m state --state NEW -j ACCEPT
			fi
		done
	done

   echo_done
else
   echo_skipped
fi


# ---
# - Other local Services
# ---

echononl "\t\tOther local Services"

if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _val in ${other_service_arr[@]} ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

         # - Note:
         # - If (local) alias interfaces like eth1:0 in use, youe need a further
         # - special rule.
         # -
         if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then
            $ipt -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
         fi
      done
   done
   echo_ok
else
   echo_skipped
fi


# ---
# - Rsync only Out Gateway 
# ---

echononl "\t\tRsync (only OUT) Gateway"

if $local_rsync_out ; then
   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${rsync_port_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Rsync only Out from given local machines
# ---

echononl "\t\tRsync Out from given local machines"

if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then
   for _port in ${rsync_port_arr[@]} ; do
      for _ip in ${rsync_out_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - SNMP Services local Networks
# ---

echononl "\t\tSNMP Services local Networks"

if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then
   for _ip in ${snmp_server_ip_arr[@]} ; do
      $ipt -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT
            $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - WakeOnLan only out into local Networks
# ---

echononl "\t\tWakeOnLan only out into local Networks"
$ipt -A OUTPUT -p udp --dport 9 -j ACCEPT
echo_done


# ---
# - NFS Service (portmapper, mountd, nfs)
# ---

if $terminal; then
   echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
   echo -e "\033[75G[ \033[37mskipped\033[m ]"

   echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
   echo -e "\033[75G[ \033[37mskipped\033[m ]"

   echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
   echo -e "\033[75G[ \033[37mskipped\033[m ]"

   echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
   echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
   echo "NFS Service - Not yet implemented"
   echo "VoIP - Not yet implemented"
   echo "Sip - Not yet implemented"
   echo "Skype - Not yet implemented"
fi


# ---
# - PowerChute Network Shutdown local Network
# ---

echononl "\t\tPowerChute Network Shutdown local Network"

if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then

   for _ip in ${pcns_server_ip_arr[@]} ; do
      if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then
         $ipt -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
      fi

      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         $ipt -A FORWARD -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
      fi

      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Ubiquiti Unifi Controller Gateway
# ---


echononl "\t\tUbiquiti Unifi Controller Gateway"
if $local_unifi_controller_service ; then
   for _dev in ${local_if_arr[@]} ; do
      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT

      $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT

   done
   echo_done
else
   echo_skipped
fi


echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs"
if $local_unifi_controller_service ; then

   if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then

      for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do

         $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT

      done

      echo_done
   else
      echo_skipped
      warn "Local Unifi Controller is defined, but no Unifi APs!"
   fi
else
   echo_skipped
fi


# ---
# - Ubiquiti Unifi Controller local Network
# ---

echononl "\t\tUbiquiti Unifi Controller local Network"
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
   && $kernel_activate_forwarding \
   && ! $permit_between_local_networks ; then

   for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT

         $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl  -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
      done

      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
      fi

   done

   echo_done
else
   echo_skipped
fi


# ---
# - IPMI Tools (e.g. IPMIView) only out
# ---

echononl "\t\tIPMI Tools (e.g. IPMIView) only out"

if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then
   for _dev in ${ext_if_arr[@]} ; do

      for _port in ${ipmi_udp_port_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      for _port in ${ipmi_tcp_port_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done

      if $kernel_activate_forwarding ; then
         
         for _port in ${ipmi_udp_port_arr[@]} ; do
            $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         for _port in ${ipmi_tcp_port_arr[@]} ; do
            $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - IPMI Tools (e.g. IPMIView) local Networks
# ---

echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks"

if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${ipmi_server_ip_arr[@]} ; do

      for _port in ${ipmi_udp_port_arr[@]} ; do
         $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      for _port in ${ipmi_tcp_port_arr[@]} ; do
         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
      done
      
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _port in ${ipmi_udp_port_arr[@]} ; do
            $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
         for _port in ${ipmi_tcp_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

         # - Rule is needed if (local) interface aliases in use (like eth0:1)
         # -
         if $local_alias_interfaces ; then
            for _port in ${ipmi_udp_port_arr[@]} ; do
               $ipt -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT
            done
            for _port in ${ipmi_tcp_port_arr[@]} ; do
               $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
               $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
            done
         fi
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Remote Console (VNC) only out
# ---

echononl "\t\tRemote Console (VNC) only out"

if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT

      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Remote Console (VNC) local Networks
# ---

echononl "\t\tRemote Console (VNC) local Networks"


if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${rm_server_ip_arr[@]} ; do

      $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
      
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT

         # - Rule is needed if (local) interface aliases in use (like eth0:1)
         # -
         if $local_alias_interfaces ; then
            $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
         fi
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Remote Console (VNC) DMZ
# ---

echononl "\t\tRemote Console (VNC) DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr

if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then
   for _ip in ${!rm_server_dmz_arr[@]} ; do

      # - Skip if no interface is given
      # -
      if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then
         no_if_for_ip_arr+=("$_ip")
         continue
      fi

      # - From Gateway
      $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT

      if $kernel_activate_forwarding ; then

         # - From extern

         # - Nat if interface is on a dsl line
         # -
         if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port
         fi
         $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port  -m conntrack --ctstate NEW -j ACCEPT

         # - From intern
         if ! $permit_between_local_networks ; then
            for _dev in ${local_if_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
            done
         fi

         # - Rule is needed if (local) interface aliases in use (like eth0:1)
         # -
         if $local_alias_interfaces ; then
            $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
            $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
         fi
      fi
   done

   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
      echo_warning
      for _ip in ${no_if_for_ip_arr[@]} ; do
         warn "No Interface given for ip '$_ip'"
      done
   else
      echo_done
   fi

else
   echo_skipped
fi


# ---
# - Munin Service Gateway
# ---

echononl "\t\tMunin Service Gateway"

if $local_munin_server ; then

   if $provide_munin_service_to_inet ; then
      # - Provide Service for local and extern networks
      # -
      $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
   else
      # - Provide Service only for for local network
      # -
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Munin Service local Networks
# ---

echononl "\t\tMunin Service local Networks"
if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${munin_local_server_ip_arr[@]} ; do
      $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT

      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            if ! $permit_between_local_networks ; then
               $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
            fi
         done
      fi

      # - Rule is needed if (local) interface aliases in use (like eth0:1)
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
      fi

   done

   echo_done
else
   echo_skipped
fi


# ---
# - Munin remote Server
# ---

echononl "\t\tMunin remote Server"

if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then

   for _ip in ${!munin_local_client_ip_arr[@]} ; do
      if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then
         $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port  -m conntrack --ctstate NEW -j ACCEPT
      elif $kernel_activate_forwarding ; then
         $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port
         $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi


# ---
# - XyMon local service
# ---

echononl "\t\tXyMon Service Gateway"

if $local_xymon_server ; then
   for _dev in ${local_if_arr[@]} ; do
      $ipt -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - XyMon Service Intranet
# ---

echononl "\t\tXyMon Service Intranet"

if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${xymon_server_ip_arr[@]} ; do
      if $local_xymon_client ; then
         $ipt -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
      fi
      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
         for _dev in ${local_if_arr[@]} ; do
            $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      # - Rule is needed if (local) interface aliases in use (like eth0:1)
      # -
      if $kernel_activate_forwarding && $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT
      fi
   done

   echo_done
else
   echo_skipped
fi



# -------------
# --- Portforwarding
# -------------

# ---
# - Portforwarding TCP
# ---

echo
echononl "\tPortforwarding TCP"

if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _val in "${portforward_tcp_arr[@]}" ; do

      # - Split value
      # -
      IFS=':' read -a _val_arr <<< "${_val}"

      # - DNAT
      # -
      $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]}

      # - Allow Packets
      # -
      $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT

   done
   echo_done
else
   echo_skipped
fi


# ---
# - Portforwarding UDP
# ---

echononl "\tPortforwarding UDP"

if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _val in "${portforward_udp_arr[@]}" ; do

      # - Split value
      # -
      IFS=':' read -a _val_arr <<< "${_val}"

      # - DNAT
      # -
      $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]}

      # - Allow Packets
      # -
      $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT

   done
   echo_done
else
   echo_skipped
fi


# ---
# - UNIX Traceroute
# ---

echo
echononl "\tUNIX Traceroute"

#   versendet udp packete im gegensatz zu tracert von windows
#   der icmp-echo-request pakete versendet
#   einige implementierungen von traceroute (linux) erm�lichens
#   die option -I und versenden dann ebenfalls icmp-echo-request pakete

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
      $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   fi
done

echo_done


# -------------
# --- ICMP Traffic (i.e. ping requests)
# -------------

echononl "\tPermit all ICMP traffic.."
if $permit_all_icmp_traffic ; then
   $ipt -A INPUT -p icmp -j ACCEPT
   $ipt -A OUTPUT -p icmp -j ACCEPT
   $ipt -A FORWARD -p icmp -j ACCEPT
   echo_done
else
   echo_skipped
fi



# ---
# - Deny between local networks
# ---

echo
echononl "\tDeny all traffic between local networks.."
if $kernel_activate_forwarding ; then
   if ! $permit_between_local_networks ; then
      for _dev_1 in ${local_if_arr[@]} ; do
         for _dev_2 in ${local_if_arr[@]} ; do
            if $log_rejected || $log_all ; then
               $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level
            fi
            $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP
         done
      done
      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi


# -------------
# --- Log traffic not matched so far
# -------------
echo

echononl "\tLog traffic not matched so far.."
if $log_rejected || $log_all ; then
   $ipt -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level
   $ipt -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
   $ipt -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
   #$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: "  --log-level $log_level
   #$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
   #$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
   echo_done
else
   echo_skipped
fi



# -------------
# --- DROP traffic not matched so far
# -------------
echononl "\tDROP traffic not matched so far.."

# - drop all other for all interfaces..
#
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP
#
# ---------- Ende: DROP ----------

echo_done


# ---
# - Warning, if no intern (local) interface is configured
# ---

if [[ ${#local_if_arr[@]} -lt 1 ]] ; then
   echo ""
   echo ""
   if $terminal ; then
      echo -e "\t\033[33m\033[1m----------\033[m"
   else
      echo "----------"
   fi
   warn "No local Interface is configured!"
   if $terminal ; then
      echo -e "\t\033[33m\033[1m----------\033[m"
   else
      echo "----------"
   fi
fi

echo
exit 0

