#!/usr/bin/env bash


# -------------
# - Settings
# -------------

ipt_conf_dir="/etc/ipt-firewall"

inc_functions_file="${ipt_conf_dir}/include_functions.conf"

conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_declarations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"


ipt="$(command -v iptables 2>/dev/null)"

if [[ -z "$ipt" ]] ; then
   echo ""
   echo -e "\tiptables was not found on this server!"
   echo
   echo -e "\tFirewall Script was stopped!"
   echo
   exit 1
fi


# -------------
# - Load Default Settings and Functions
# -------------

if [[ ! -f "$conf_default_settings" ]]; then
   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
else
   source $conf_default_settings
fi

if [[ ! -f "$inc_functions_file" ]] ; then
   echo ""
   echo -e "\tMissing include file '$inc_functions_file'"
   echo
   echo -e "\tFirewall Script was stopped!"
   echo
   exit 1
else
   source $inc_functions_file
fi


# -------------
# - Some checks and preloads..
# -------------

# --- Debian 12/13: enforce iptables-nft backend (nf_tables) and prevent legacy/nft mix
if ! "$ipt" --version 2>/dev/null | grep -q "nf_tables"; then
   echo ""
   echo "ERROR: Your iptables is NOT using nf_tables backend (iptables-nft)."
   echo "This script expects iptables-nft on Debian 12/13 to avoid legacy/nft mixed rules."
   echo ""
   echo "Fix (on the host, as root):"
   echo "  update-alternatives --set iptables  /usr/sbin/iptables-nft"
   echo "  update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
   echo ""
   echo "Current: $($ipt --version 2>/dev/null || echo 'unknown')"
   exit 1
fi


# -------------
# --- Ensure required modules for this script (best effort; host-side in containers)
# -------------

echo
echononl "\tEnsure required modules are loaded.."
if is_container ; then
   echo_skipped
else

   ensure_mod nf_conntrack
   ensure_mod nf_nat
   ensure_mod nf_conntrack_ftp
   ensure_mod nf_nat_ftp
   ensure_mod xt_recent
   ensure_mod xt_hashlimit
   ensure_mod xt_connlimit
   ensure_mod xt_owner
   ensure_mod xt_helper
   ensure_mod br_netfilter

   echo_done
fi


# --- Security hardening / predictable conntrack behavior:
# Disable automatic conntrack helper assignment (keep explicit CT --helper rules)
if ! is_container ; then
	sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true
fi

if [[ ! -f "$conf_logging" ]]; then
   fatal "Missing configuration for logging - file '$conf_logging'"
else
   source $conf_logging
fi

if [[ ! -f "$conf_interfaces" ]]; then
   fatal "Missing interface configurations  - file '$conf_interfaces'"
else
   source $conf_interfaces
fi

if [[ ! -f "$conf_main" ]]; then
   fatal "Missing main configurations  - file '$conf_main'"
else
   source $conf_main
fi

if [[ ! -f "$conf_post_declarations" ]]; then
   fatal "Missing post declarations  - file '$conf_post_declarations'"
else
   source $conf_post_declarations
fi



echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
echo



# -------------
# --- Activate IP Forwarding
# -------------

## - IP Forwarding deaktivieren.
## -
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
## -
## - Only needed, if hosts acts as a router.
## -
if $kernel_activate_forwarding ; then
   echo 1 > /proc/sys/net/ipv4/ip_forward
   echononl "\tActivate Forwarding.."
   echo_done
else
   echo 0 > /proc/sys/net/ipv4/ip_forward
   echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
   echo_done
fi

if $kernel_support_dynaddr ; then
   echononl "\tActivate kernel support for dynamic addresses.."
   if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
      echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
      echo_done
   else
      echo_failed
   fi
else
   echo 0 > /proc/sys/net/ipv4/ip_dynaddr
   echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m"
   echo_done
fi


# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------

echo ""
echononl "\tAdjust Kernel Parameters (Security/Tuning).."

if ! is_container ; then
   ## - Reduce DoS'ing ability by reducing timeouts
   ## -
   if $kernel_reduce_timeouts ; then
      echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
      echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
      echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
      echo 0 > /proc/sys/net/ipv4/tcp_sack
   fi


   ## - SYN COOKIES
   ## -
   if  $kernel_tcp_syncookies ; then
      echo 1 > /proc/sys/net/ipv4/tcp_syncookies
      echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
      echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
   fi

   ## - Protection against ICMP bogus error responses
   ## -
   if $kernel_protect_against_icmp_bogus_messages ; then
      echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
   fi

   ## - Ignore Broadcast Pings
   ## -
   if $kernel_ignore_broadcast_ping ; then
      echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   fi

   ## - Deactivate Source Routed Packets
   ## -
   if $kernel_deactivate_source_route ; then
      for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
         echo 0 > $asr
      done
   fi

   ## - Deactivate sending ICMP redirects
   ## -
   if $kernel_dont_accept_redirects ; then
      for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do
         echo 1 > $rp_filter
      done
   fi

   ## - Logging of spoofed (source routed" and "redirect") packets
   ## -
   if $kernel_log_martians ; then
      echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
   fi

   ## - Keine ICMP Umleitungspakete akzeptieren.
   ## -
   ## - Diese können zur Veränderung der Routing Tables verwendet
   ## - werden, möglicherweise mit einem böswilligen Ziel.
   ## -
   #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

   ## - NUMBER OF CONNECTIONS TO TRACK
   ## -
   #echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

   echo_done # Adjust Kernel Parameters (Security/Tuning)
else
   echo_skipped
fi


# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------

echo
echononl "\tDo not firewall bridged / LX Gust System traffic"

if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then

   if ! is_container; then

      _done=false

      for _dev in ${ext_if_arr[@]} ; do

         # Try to detect  virtual interfaces (veth*)) and the master interface 
         # of the given bridge  dynamically
         #
         #     ports="$(get_bridge_ports "$br")"
         #
         # or directly here:
         #
         # ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
         #
         #     ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
         #
         ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"

         for _port in $ports ; do
            $ipt -A FORWARD -i "${_port}" -j ACCEPT
            $ipt -A FORWARD -o "${_port}" -j ACCEPT
            _done=true
         done

      done

      if ! ${_done} ; then
         $ipt -A FORWARD -i veth+ -j ACCEPT
         $ipt -A FORWARD -o veth+ -j ACCEPT
      fi

      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi


echononl "\tIPv4: bypass host filtering for container ports.."
if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then

   if ! is_container; then

      _bridge_sysctl_ok=true

      # IPv4: if you keep the sysctl bypass (recommended if it's working)
      sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false

      if ${_bridge_sysctl_ok} ; then
         echo_done
      else
         echo_failed
      fi

   else
      echo_skipped
   fi
fi


# ------------- Fail2ban handling (do not stop/start; keep bans stable) -------------
echo
echononl "\tCheck presence and configuration of Fail2ban .."
echo_done
if ! has_fail2ban ; then
   warn "Fail2ban is not installed.."
elif ! fail2ban_running ; then
   warn "Fail2ban is installed but not running.."
else
   CURRENT_BANACTION=$(grep -E '^\s*banaction\s*=' "$FAIL2BAN_CONFIG_FILE" | head -1 | tr -d ' ' | cut -d'=' -f2)
   if [[ -n ${CURRENT_BANACTION} ]] ; then
      if [ "$CURRENT_BANACTION" = "nftables" ]; then
         info "Fail2ban is running, banaction is et to nftables."
      else
         warn "Change banaction from ${CURRENT_BANACTION} to \033[1mbanaction=nftables\033[m"
      fi
   else
      warn "banaction seems not to be configured. Take care that \033[1mbanaction=nftables\033[m"
   fi
   FAIL2BAN_WAS_RUNNING=true
fi
#
# ------------- Ende: Fail2ban handling (do not stop/start; keep bans stable) -------------


# -------------
# --- Set default policies / Flush Rules
# -------------


echo
echononl "\tFlushing firewall iptable (IPv4).."

# - default policies
# -
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT

## - flush chains
## -
$ipt -F
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -F -t mangle
$ipt -F -t nat
$ipt -F -t raw
$ipt -X
$ipt -Z

echo_done # Flushing firewall iptable (IPv6)..
echo


echononl "\tMasquerade (NAT) interfaces.."
if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
   for _dev in ${nat_device_arr[@]} ; do
      $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
   done
   echo_done
else
   echo_skipped
fi
echo



# -------------
# ---- Log given IP Addresses
# -------------

echononl "\tLog given IPv4 Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${log_ip_arr[@]} ; do
      $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: "
   $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: "
      $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: "
      $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: "
   done

   echo_done
else
   echo_skipped
fi



# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------

case $1 in
   flush)
      echo
      echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m"
      echo
      exit 0;;
esac


# ---
# - Permit all traffic through WireGuard lines
# ---
echononl "\tPermit all traffic through WireGuard lines.."
for _wg_if in ${wg_if_arr[@]} ; do
   $ipt -A INPUT -i $_wg_if -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -i $_wg_if -j ACCEPT
   fi
done
echo_done


# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
   $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
   fi
done
echo_done



# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------

echononl "\tPass through Devices (not firewalled)"
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
   for _dev in ${unprotected_if_arr[@]} ; do
      if $log_unprotected || $log_all ; then
         $ipt -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
   $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
         $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
         $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
      fi
      $ipt -t mangle -A PREROUTING -i $_dev -j ACCEPT
   $ipt -A OUTPUT -o $_dev -j ACCEPT
      $ipt -A INPUT -i $_dev -j ACCEPT
      $ipt -A FORWARD -o $_dev -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Allow Forwarding certain private Addresses
# ---

echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${forward_private_ip_arr[@]}; do
      # NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through).
      if $log_forwarding_priv_ip || $log_all ; then
         $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
         $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
      fi
      $ipt -A FORWARD -d $_ip -j ACCEPT
      $ipt -A FORWARD -s $_ip -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."


# ---
# - Block IPs
# ---

for _ip in $blocked_ips ; do
   for _dev in ${ext_if_arr[@]} ; do
      if $log_blocked_ip || $log_all ; then
         $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
         fi
      fi
      $ipt -A INPUT -i $_dev -s $_ip -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -s $_ip -j DROP
      fi
   done
done


# ---
# - Block Interfaces
# ---

for _if in ${blocked_if_arr[@]} ; do
   if $log_blocked_if || $log_all ; then
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
         $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
      fi
      $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
   $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
   fi
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -i $_if -j DROP
      $ipt -A FORWARD -o $_if -j DROP
   fi
   $ipt -A INPUT -i $_if -j DROP
   $ipt -A OUTPUT -o $_if -j DROP
done

echo_done # Block IPs / Networks / Interfaces..



# ---
# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
# ---

echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."

if [[ -f "$conf_ban_ipv4_list" ]] ; then

   declare -a octets
   declare -i index

   while IFS='' read -r _line || [[ -n $_line ]] ; do

      is_valid_ipv4=true
      is_valid_mask=true
      ipv4=""
      mask=""

      # Ignore comment lines
      #
      [[ $_line =~ ^[[:space:]]{0,}# ]] && continue

      # Ignore blank lines
      #
      [[ $_line =~ ^[[:space:]]*$ ]] && continue

      # Remove leading whitespace characters
      #
      _line="${_line#"${_line%%[![:space:]]*}"}"


      # Catch IPv4 Address
      #
      given_ipv4="$(echo  $_line | cut -d ' ' -f1)"


      # Splitt Ipv4 address from possible given CIDR number
      #
      IFS='/' read -ra _addr <<< "$given_ipv4"
      _ipv4="${_addr[0]}"

      if [[ -n "${_addr[1]}" ]] ; then
         _mask="${_addr[1]}"
         test_netmask=false

         # Is 'mask' a valid CIDR number? If not, test agains a valid netmask
         #
         if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then

            # Its not a vaild mask number, but naybe a valit netmask.
            #
            test_netmask=true
         else
            if [[ $_mask -gt 32 ]]; then

               # Its not a vaild cidr number, but naybe a valit netmask.
               #
               test_netmask=true
            else

               # OK, we have a vaild cidr number between '0' and '32'
               #
               mask=$_mask
            fi
         fi

         # Test if given '_mask' is a valid netmask.
         #
         if $test_netmask ; then
            octets=( ${_mask//\./ } )

            # Complete netmask if necessary
            #
            while [[ ${#octets[@]} -lt 4 ]]; do
               octets+=(0)
            done

            [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false

            index=0
            for octet in ${octets[@]} ; do
               if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
                  if [[ $octet -gt 255 ]] ; then
                     is_valid_mask=false
                  fi
                  if [[ $index -gt 0 ]] ; then
                     mask="${mask}.${octet}"
                  else
                     mask="${octet}"
                  fi

               else
                  is_valid_mask=false
               fi

               ((index++))
            done
         fi

         adjust_mask=false
      else
         mask=32
         adjust_mask=true
      fi

      # Splitt given address into their octets
      #
      octets=( ${_ipv4//\./ } )

      # Complete IPv4 address if necessary
      #
      while [[ ${#octets[@]} -lt 4 ]]; do
         octets+=(0)

         # Only adjust CIDR number if not given
         #
         if $adjust_mask ; then
            mask="$(expr $mask - 8)"
         fi
      done

      # Pre-check if given IPv4 Address seems to be a valid address
      #
      [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false

      # Check if given IPv4 Address is a valid address
      #
      if $is_valid_ipv4 ; then
         index=0
         for octet in ${octets[@]} ; do
            if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
               if [[ $octet -gt 255 ]] ; then
                  is_valid_ipv4=false
               fi
               if [[ $index -gt 0 ]] ; then
                  ipv4="${ipv4}.${octet}"
               else
                  ipv4="${octet}"
               fi

            else
               is_valid_ipv4=false
            fi

            ((index++))
         done
      fi

      if $is_valid_ipv4 && $is_valid_mask; then

         _ip="${ipv4}/${mask}"

         if containsElement "$_ip"  "${ban_ipv4_arr[@]}" ; then
            continue
         fi

         for _dev in ${ext_if_arr[@]} ; do
            if $log_blocked_ip || $log_all ; then
               $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:"
               if $kernel_activate_forwarding ; then
                  $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::"
               fi
            fi
            $ipt -A INPUT -i $_dev -s $_ip -j DROP
            if $kernel_activate_forwarding ; then
               $ipt -A FORWARD -i $_dev -s $_ip -j DROP
            fi
         done

         ban_ipv4_arr+=("$_ip")

      else
         msg="$msg '${given_ipv4}'"
      fi

   done < "$conf_ban_ipv4_list"
   echo_done

   if [[ -n "$msg" ]]; then
      warn "Ignored:$msg"
   fi
else
   echo_skipped
fi



# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m"


# ---
# - Drop invalid packets
# ---

echononl "\tDrop invalid packets"
if $log_invalid_packets|| $log_all ; then
   $ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j  $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:"
fi
$ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
echo_done


# ---
# Drop TCP packets that are new and are not SYN
# ---

echononl "\tDrop TCP packets that are new and are not SYN"
if $log_new_not_sync || $log_all  ; then
   $ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi
$ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
echo_done


# ---
# - Drop SYN packets with suspicious MSS value
# ---

echononl "\tDrop SYN packets with suspicious MSS value"
if $log_syn_with_suspicious_mss || $log_all  ; then
   $ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:"
fi
$ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
echo_done


# ---
# - Block packets with bogus TCP flags
# ---

echononl "\tBlock packets with bogus TCP flags"
if $log_invalid_flags || $log_all ; then
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
   $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
echo_done


# ---
# - Block spoofed (own ip) packets
# ---

echononl "\tBlock spoofed (own ip) packets"
if $log_spoofed || $log_all ; then
   for _ip in ${ext_ip_arr[@]} ; do
      $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
   done
fi
for _ip in ${ext_ip_arr[@]} ; do
   $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP
done
echo_done


# ---
# - Block spoofed (private/reserved) packets
# ---

echononl "\tBlock spoofed (private/reserved) packets"
for _dev in ${ext_if_arr[@]} ; do
   if $log_spoofed || $log_all ; then
      $ipt -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix link local block: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix TEST-NET-1: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix THIS NET: "
      $ipt -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
   fi
done

if $log_spoofed || $log_all ; then
   $ipt -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi

for _dev in ${ext_if_arr[@]} ; do
   $ipt -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j DROP
   $ipt -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j DROP
done
$ipt -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j DROP
echo_done


# ---
# - Drop fragments in all chains
# ---

echononl "\tDrop fragments in all chains"
if $log_fragments || $log_all ; then
   /sbin/iptables -t mangle -A PREROUTING -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
fi
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
echo_done


# ---
# - Drop ICMP all ICMP traffic (you usually don't need this protocol)
# ---

echononl "\tDrop all ICMP traffic.."
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
   if $log_rejected || $log_all ; then
      $ipt -t mangle -A PREROUTING -p icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
   fi
   $ipt -t mangle -A PREROUTING -p icmp -j DROP
   echo_done
else
   echo_skipped
fi


# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------

[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false

echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
   for _dev in ${ext_if_arr[@]} ; do

      if $log_mndp || $log_all ; then
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
         $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
            $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
         fi
      fi
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
      $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
         $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
      fi

   done
   echo_done
else
   echo_skipped
fi


# -------------
# --- Drop Multicast DNS Traffic
# -------------

[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false

echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
   for _dev in ${ext_if_arr[@]} ; do
      if $log_mdns || $log_all ; then
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
         $ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
            $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
         fi
      fi
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
      $ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
         $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Don't allow spoofing from that server
# ---

echo ""
echononl "\tDon't allow spoofing out from this server"
for _dev in ${ext_if_arr[@]} ; do
   if $log_spoofed_out || $log_all ; then
   $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
   $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
   $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
   $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
   $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
   $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
   $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
         $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
         $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
         $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:"
         $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:"
         $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:"
         $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
      fi
   fi
   $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
   $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
   $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
   $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j DROP
   $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j DROP
   $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j DROP
   $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
      $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
      $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
      $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j DROP
      $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j DROP
      $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j DROP
      $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
   fi
done
echo_done


# -------------
# --- Traffic generally allowed
# -------------

echo
echononl "\tLoopback device generally allowed.."

# ---
# - Loopback device
# ---

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

echo_done


# ---
# - Already established connections
# ---

echononl "\tAccept already established connections.."

$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   $ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP

if $kernel_activate_forwarding ; then
   $ipt -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
fi

echo_done


# ---
# - Protection against syn-flooding
# ---

echo
echononl "\tProtection against syn-flooding"
if $protection_against_syn_flooding ; then
   $ipt -N syn-flood
   $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
   if $log_syn_flood || $log_all ; then
      $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
   fi
   $ipt -A syn-flood -j DROP
   echo_done
else
   echo_skipped
fi


# ---
# - Protection against port scanning
# ---

echononl "\tProtection against port scanning"
if $protection_against_port_scanning ; then
   $ipt -N port-scanning
   $ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
   if $log_port_scanning || $log_all ; then
      $ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
   fi
   $ipt -A port-scanning -j DROP
   echo_done
else
   echo_skipped
fi


# ---
# - Protection against SSH brute-force attacks
# ---

echononl "\tProtection against SSH brute-force attacks"
if $protection_against_ssh_brute_force_attacks ; then
   if can_use_recent ; then
         $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
      if $log_ssh_brute_force || $log_all ; then
         $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
      fi
      $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
   else
      if can_use_hashlimit ; then
         warn "xt_recent not available; using hashlimit fallback for SSH brute-force protection."
         if $log_ssh_brute_force || $log_all ; then
            $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \
               -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \
               --hashlimit-name sshbf --hashlimit-htable-expire 60000 \
               -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
         fi
         $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \
            -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \
            --hashlimit-name sshbf --hashlimit-htable-expire 60000 \
            -j DROP
      else
         warn "Neither xt_recent nor xt_hashlimit available; using simple global limit fallback for SSH brute-force protection."
         if $log_ssh_brute_force || $log_all ; then
            $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \
               -m limit --limit 10/min --limit-burst 10 \
               -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force (limit fallback):"
         fi
         $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \
            -m limit --limit 10/min --limit-burst 10 \
            -j DROP
      fi
   fi

echo_done
else
   echo_skipped
fi


# ---
# - Limit connections per source IP
# ---

echononl "\tLimit connections per source IP"
if $limit_connections_per_source_IP ; then

   if ! is_number $per_IP_connection_limit ; then
      per_IP_connection_limit=$default_per_IP_connection_limit
   fi

   if can_use_connlimit ; then

      if $log_rejected || $log_all ; then

         $ipt -A INPUT -p tcp --syn \
            -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
            -j $LOG_TARGET  $tag_log_prefix "$log_prefix CONN limit per IP:"

      fi

      $ipt -A INPUT -p tcp --syn \
         -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \
         -j REJECT --reject-with tcp-reset

   else
      warn "xt_connlimit not available; using fallback for per-source limiting (approximate)."

      if can_use_hashlimit ; then
         # Fallback: rate-limit new SYNs per source IP (not the same as concurrent connlimit, but protective)
         if $log_rejected || $log_all ; then
            $ipt -A INPUT -p tcp --syn \
               -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \
               --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \
               -j $LOG_TARGET  $tag_log_prefix "$log_prefix CONN limit per IP (hashlimit fallback):"
         fi

         $ipt -A INPUT -p tcp --syn \
            -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \
            --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \
            -j REJECT --reject-with tcp-reset
      else
         warn "No xt_connlimit and no xt_hashlimit available; skipping per-source connection limiting."
      fi
   fi

   echo_done
else
   echo_skipped
fi
#
#
# ---
# - Limit RST packets
# ---

echononl "\tLimit RST packets"

# ---
# Ersatzlos gestrichen
# ---
echo_skipped


#if $limit_rst_packets ; then
#
#   $ipt -A INPUT -p tcp --tcp-flags RST RST \
#      -m limit --limit 2/s --limit-burst 2 -j ACCEPT
#
#   if $log_rejected || $log_all ; then
#      $ipt -A INPUT -p tcp --tcp-flags RST RST \
#         -m limit --limit 2/s --limit-burst 2 \
#         -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
#   fi
#   $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
#   echo_done
#else
#   echo_skipped
#fi


# ---
# - Limit new TCP connections per second per source IP
# ---

echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)"

if $limit_new_tcp_connections_per_seconds_per_source_IP \
      && [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then

   #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

   # Rate-Limit für neue SYNs auf 443 pro IP
   if can_use_hashlimit ; then
   $ipt -A INPUT -p tcp --syn \
      -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
      -m hashlimit --hashlimit-name syn_multi_v4 \
      --hashlimit 30/second --hashlimit-burst 60 \
      --hashlimit-mode srcip --hashlimit-srcmask 32 \
      -j ACCEPT

   if $log_rejected || $log_all ; then

      #  rate-limited logging für Überschreiter
      $ipt -A INPUT -p tcp --syn \
         -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
         -m hashlimit --hashlimit-name syn_multi_v4_log  \
         --hashlimit 2/second --hashlimit-burst 10 \
         --hashlimit-mode srcip --hashlimit-srcmask 32 \
         -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):"

   fi
else
   warn "xt_hashlimit not available; using simple global limit fallback for SYN rate limiting (multiport)."
   $ipt -A INPUT -p tcp --syn \
      -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \
      -m limit --limit 30/second --limit-burst 60 \
      -j ACCEPT
fi


   #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

   $ipt -A INPUT -p tcp --syn -m multiport --dports $limit_new_tcp_connections_per_seconds_ports -j DROP


   echo_done
else
   echo_skipped
fi


# ---
# - Use SYNPROXY on all ports (disables connection limiting rule)
# ---

#echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)"
#$ipt -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
#$ipt -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
#echo_done



# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------

case $1 in
   sto*)
      #echononl "Stopping firewall iptable (IPv4).."
      echo
      echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
      echo
      exit 0;;
esac


echo

# -------------
# --- Traffic Counter (used by munin)
# -------------

echononl "\tCreate Traffic Counter (used by munin)"
if $create_traffic_counter ; then
   for _ip in ${ext_ip_arr[@]} ; do
      $ipt -A INPUT -d $_ip
      $ipt -A INPUT -s $_ip
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -d $_ip
         $ipt -A FORWARD -s $_ip
      fi
   done
   echo_done
else
   echo_skipped
fi


# -------------
# --- iPerf
# -------------

# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.

echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
   $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT
   $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT
   #
   $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT
   $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT
      $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT
   fi
   echo_done
else
   echo_skipped
fi


# -------------
# --- Generally prohibited
# -------------

echononl "\tGenerally prohibited traffic.."

for _dev in ${ext_if_arr[@]} ; do
   if $log_prohibited || $log_all ; then
      for _port in ${block_tcp_port_arr[@]} ; do
         $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
      done
      if $kernel_activate_forwarding ; then
         for _port in ${block_tcp_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
         done
         for _port in ${block_udp_port_arr[@]} ; do
            $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
         done
      fi
   fi
   for _port in ${block_tcp_port_arr[@]} ; do
      $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP
   done
   for _port in ${block_udp_port_arr[@]} ; do
      $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP
   done
   if $kernel_activate_forwarding ; then
      for _port in ${block_tcp_port_arr[@]} ; do
         $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
      done
      for _port in ${block_udp_port_arr[@]} ; do
         $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP
      done
   fi
done

echo_done
echo

# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------

echononl "\tRestrict local Service to given (extern) IP-Address/Network"
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then

   _deny_service_arr=()

   for _val in "${restrict_local_service_to_net_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"

      for _dev in ${ext_if_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j ACCEPT

         if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then
            _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}")
         fi

      done

   done

   for _val in "${_deny_service_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
   done

   echo_done
else
   echo_skipped
fi


# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------

echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then

   _deny_net_arr=()

   for _val in "${restrict_local_net_to_net_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      for _dev in ${ext_if_arr[@]} ; do
         $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT

         if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then
            _deny_net_arr+=("${_dev}:${_val_arr[1]}")
         fi

      done

   done

   for _val in "${_deny_net_arr[@]}" ; do
      IFS=':' read -a _val_arr <<< "${_val}"
      $ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
   done

   echo_done
else
   echo_skipped
fi

echo


# ---
# - LOG CGI script Traffic out
# ---

echo
echononl "\tLOG CGI/PHP traffic out."

if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then
   if can_use_owner ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _user in ${cgi_script_user_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: "
         done
      done
      echo_done
   else
      warn "owner/xt_owner match not available; skipping CGI/PHP uid-based OUTPUT logging."
      echo_skipped
   fi
else
   echo_skipped
fi
echo


# -------------
# --- Allow all outgoing traffic
# -------------
echononl "\tAllow all outgoing traffic.."
if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then
   for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Don't allow traffic into private networks
# ---

echo ""
echononl "\tDon't allow traffic into private anetworks"
for _dev in ${ext_if_arr[@]} ; do
   if $log_private_network_out || $log_all ; then
   $ipt -A OUTPUT -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:"
   $ipt -A OUTPUT -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:"
   $ipt -A OUTPUT -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:"
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:"
         $ipt -A FORWARD -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:"
         $ipt -A FORWARD -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:"
      fi
   fi
   $ipt -A OUTPUT -o $_dev -d $priv_class_a -j DROP
   $ipt -A OUTPUT -o $_dev -d $priv_class_b -j DROP
   $ipt -A OUTPUT -o $_dev -d $priv_class_c -j DROP
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -d $priv_class_a -j DROP
      $ipt -A FORWARD -o $_dev -d $priv_class_b -j DROP
      $ipt -A FORWARD -o $_dev -d $priv_class_c -j DROP
   fi
done
echo_done


# -------------
# --- Services
# -------------

echo
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"


# -------------
# ---- Allow extern Service
# -------------

echononl "\t\tAllow extern Service"

if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_ext_service_arr[@]}" ; do
         IFS=':' read -a _val_arr <<< "${_val}"
   $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# -------------
# ---- Allow extern IP-Address/Network
# -------------

echononl "\t\tAllow extern IP-Address/Network"

if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _net in "${allow_ext_net_arr[@]}" ; do
   $ipt -A OUTPUT -o $_dev -p all -d $_net -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi

echo


# -------------
# ---- Allow (non-standard) local Services
# -------------

echononl "\t\tAllow (non-standard) local Services"

if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_local_service_arr[@]}" ; do
         IFS=':' read -a _val_arr <<< "${_val}"
         $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# -------------
# ---- Allow local Services from given (extern) network
# -------------

echononl "\t\tAllow local Services from given (extern) network"

if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_local_service_from_network_arr[@]}" ; do
         IFS=':' read -a _val_arr <<< "${_val}"
         $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi

echo

echo


# ---
# - DHCP
# ---

echononl "\t\tDHCP Clients"

if [[ ${#dhcp_client_if_arr[@]} -gt 0 ]] ; then
   for _dev in ${dhcp_if_arr[@]} ; do
      # - out
   $ipt -A OUTPUT -p udp -o $_dev --dport 67 -d 0/0 --sport 1024:65535 -j ACCEPT
      # - in
      $ipt -A INPUT -p udp -i $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi

echononl "\t\tDHCP Server"

if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
   for _dev in ${dhcp_server_if_arr[@]} ; do
      # - in
      $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
      # - out
   $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi



# ---
# - DNS out only
# ---

echononl "\t\tDNS out only"

# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
   # - out from local and virtual mashine(s)
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT

   # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
   if $kernel_activate_forwarding ; then
      # - forward from virtual mashine(s)
      $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done



# ---
# - DNS Service
# ---

echononl "\t\tDNS Service"

if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${dns_server_ips[@]} ; do
         # dns requests
         #
         # Note:
         #    If the total size of the DNS record is larger than 512 bytes,
         #    it will be sent over TCP, not UDP.
         #
         $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
         # Zonetransfer
   $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_dns_server_ip_arr[@]} ; do
         # dns requests
         #
         # Note:
         #    If the total size of the DNS record is larger than 512 bytes,
         #    it will be sent over TCP, not UDP.
         #
         $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
         # Zonetransfer
         $ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi
   echo_done
else
   echo_skipped
fi


# ---
# - local Resolver"
# ---

echononl "\t\tlocal Resolver"
if [[ -n "$local_resolver_service" ]] && $local_resolver_service  ; then
   if [[ ${#resolver_allowed_network_arr[@]} -gt 0 ]] ; then
      for _net in ${resolver_allowed_network_arr[@]} ; do
         $ipt -A INPUT -p udp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p tcp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
      done
      echo_done
   else
      echo_failed
   fi
else
   echo_skipped
fi


# ---
# - SSH out only
# ---

echononl "\t\tSSH out only"

# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
   fi

   if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then
      for _port in ${ssh_port_arr[@]} ; do

         [[ "$_port" = "$standard_ssh_port" ]] && continue
   $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT

         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         fi

      done
   fi

done

if [[ ${#local_if_arr[@]}  -gt 0 ]] ; then
   for _dev in ${local_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT

      if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then
         for _port in ${ssh_port_arr[@]} ; do

            [[ "$_port" = "$standard_ssh_port" ]] && continue
   $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT

            if $kernel_activate_forwarding ; then
               $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
            fi
         done
      fi

   done
fi

echo_done


# ---
# - SSH Service
# ---

echononl "\t\tSSH Service"

if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${ssh_server_ip_arr[@]} ; do
         for _port in ${ssh_port_arr[@]} ; do
            $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_ssh_server_ip_arr[@]} ; do
         for _port in ${ssh_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - VPN
# ---

echononl "\t\tVPN Service only out"
if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then

   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${vpn_port_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p udp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi

echononl "\t\tVPN Services.."
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${vpn_server_ip_arr[@]} ; do
         for _port in ${vpn_port_arr[@]} ; do
            $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_vpn_server_ip_arr[@]} ; do
			for _port in ${vpn_port_arr[@]} ; do
         	$ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
			done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Wireguard
# ---

echononl "\t\tWireGuard Service only out"
if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then

   for _dev in ${ext_if_arr[@]} ; do
      for _port in ${wireguard_out_port_port_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p udp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
      done
   done

   echo_done
else
   echo_skipped
fi

echononl "\t\tWireGuard Services.."
if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${wireguard_server_ip_arr[@]} ; do
         for _port in ${wireguard_server_ports[@]} ; do
            $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   if [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_wireguard_server_ip_arr[@]} ; do
			for _port in ${wireguard_server_ports[@]} ; do
         	$ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
			done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Rsync Out
# ---

echononl "\t\tRsync (only OUT)"

if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then
      for _port in ${rsync_port_arr[@]} ; do

         for _ip in ${rsync_out_ip_arr[@]} ; do
   $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

      done
   fi

   if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _port in ${rsync_port_arr[@]} ; do

         for _ip in ${forward_rsync_out_ip_arr[@]} ; do
            $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Telnet
# ---

echononl "\t\tTelnet (only OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - MySQL
# ---

echononl "\t\tMySQL (only OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - Prometheus Monitoring - local Server
# ---

echononl "\t\tLocal Prometheus Service"

if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${prometheus_local_server_ip_arr[@]} ; do
   $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Prometheus Monitoring - local client
# ---

echononl "\t\tLocal Prometheus Client"

if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
   for _ip in ${prometheus_local_client_ip_arr[@]} ; do
      for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
          $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi
      

# ---
# - Munin remote service
# ---

echononl "\t\tMunin remote service"

if [ "X$munin_remote_ip" != "X" ]; then
   for _dev in ${ext_if_arr[@]} ; do
      $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
      if $kernel_activate_forwarding ; then
         $ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
      fi
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Munin local service
# ---

echononl "\t\tMunin local service"


if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${munin_server_ip_arr[@]} ; do
   $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_munin_server_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Mail (SMTP OUT)
# ---

echononl "\t\tMail (SMTP OUT)"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - Mail (additional smtp ports OUT)
# ---

echononl "\t\tMail (additional smtp ports OUT)"

if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then

   for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
      for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         fi
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Mail SMTP Server (Port 25) including Spam Control
# ---

echononl "\t\tMail SMTP Server (Port 25) including Spam Control"

if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then

      for _ip in ${smtpd_ips_arr[@]} ; do
         $ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
         #
         # Razor2  (TCP Port 2703)
   $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT
         # DEPRECATED: TCP Port 7 (echo)
   $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT
         #
         # Pyzor (UDP Port 24441 or  TCP Port 24441 or both ?)
   $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
         #
         # - DCC  (port udp:6277)
   $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277  -m conntrack --ctstate NEW  -j ACCEPT
         # if DCC Server is running (port tcp:6277)
         $ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
   $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
      done
   fi

   if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_smtpd_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
         #
         # Razor2  (TCP Port 2703)
         $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT
         # DEPRECATED: TCP Port 7 (echo)
         $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT
         #
         # Pyzor (UDP Port 24441 or  TCP Port 24441 or both ?)
         $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
         #
         # DCC  (port udp:6277)
         $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277  -m conntrack --ctstate NEW  -j ACCEPT
         # if DCC Server is running (port tcp:6277)
         $ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Mail (additional smtp ports IN)
# ---

echononl "\t\tMail (additional smtp ports IN)"

if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then

   for _port in ${smtpd_additional_listen_port_arr[@]} ; do
      for _dev in ${ext_if_arr[@]} ; do
         $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         if $kernel_activate_forwarding ; then
            $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         fi
      done
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---

echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"

if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
      for _ip in ${mail_server_ips_arr[@]} ; do
         # mail ports
         #
         $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]

   if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_mail_server_ip_arr[@]} ; do
         # mail ports
         #
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then

   echo_done
else
   echo_skipped
fi


# ---
# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
# ---

echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"

if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then

   if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
      for _ip in ${mail_client_ips_arr[@]} ; do
         # mail ports
         #
   $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]

   if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_mail_client_ip_arr[@]} ; do
         # mail ports
         #
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then

   echo_done
else
   echo_skipped
fi


# ---
# - (local) Dovecot auth service
# ---

echononl "\t\t(local) Dovecot auth service"

if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then

   if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then
      for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do
         $ipt -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m conntrack --ctstate NEW -j ACCEPT
      done
      echo_done
   else
      echo_failed
   fi
else
   echo_skipped
fi


# ---
# - HTTP(S) OUT
# ---

echononl "\t\tHTTP(S) out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - HTTP(S) (local) Webserver
# ---

echononl "\t\tHTTP(S) (local) Webserver"

if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]]  ; then

   if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${http_server_ip_arr[@]} ; do
         $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
      done

      if  [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
         for _ip in ${forward_http_server_ip_arr[@]} ; do
            $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Mattermost Service
# ---

echononl "\t\tMattermost (MM) Service"
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]]  ; then

   if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${mm_server_ip_arr[@]} ; do
         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
      done

      if  [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
         for _ip in ${forward_mm_server_ip_arr[@]} ; do
            $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT
            $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
         done
      fi
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - FTP out only"
# ---

echononl "\t\tFTP out only (using CT target)"

# - (Re)define helper
# -
setup_ftp_conntrack_helper_output

# - Used for different ftpdata recent lists 'ftpdata_out_$j'
# -
declare -i j=1

for _dev in ${ext_if_arr[@]} ; do

   # - (1)
   # -
   # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
   # -
   if can_use_recent ; then
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW \
      -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT
   $ipt -A OUTPUT -o $_dev -p tcp -m conntrack --ctstate NEW --dport 1024: \
		-m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
else
   warn "xt_recent not available; FTP out-only FTPS workaround disabled (data connections may fail)."
   # Allow control connection; non-TLS data connections may still work via helper/RELATED
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
fi


	((i++))

   # - Accept (helper ftp) related connections
   # -
   if can_use_helper_match; then
   $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
else
   warn "helper match not available; allowing RELATED ftp data without helper restriction"
   $ipt -A OUTPUT -m conntrack --ctstate RELATED -o $_dev -p tcp --dport 1024: -j ACCEPT
fi

done

echo_done


#echononl "\t\tFTP out only"
#
#for _dev in ${ext_if_arr[@]} ; do
#   # (Datenkanal aktiv)
#   $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
#   # (Datenkanal passiv)
#   $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#   # (Kontrollverbindung)
#   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
#   if $kernel_activate_forwarding ; then
#      # (Datenkanal aktiv)
#      $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
#      # (Datenkanal passiv)
#      $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      # (Kontrollverbindung)
#      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
#   fi
#done
#
#echo_done


# ---
# - FTP Server"
# ---

echononl "\t\tFTP Server (using CT target)"

if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then

   # - Used for different ftpdata recent lists 'ftpdata_$i'
   declare -i i=1

   # - (Re)define helper
   # -
   # - !! Note: !!
   # -    for both, local FTP server (ftp_server_ip_arr)
   # -    and forward to FTP server (forward_ftp_server_ip_arr)
   # -
   setup_ftp_conntrack_helper_prerouting

   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then

      for _ip in ${ftp_server_ip_arr[@]} ; do

         # =====
         # -
         # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
         # - ======================================================
         # -
         # - Workaround:
         # -    (1) add source ip to a 'recent list' named 'ftpdata_$i!  if ftp control connections appear
         # -    (2) accept packets of the formaly created recent list 'ftpdata_$i!
         # -
         # =====

         # - (1)
         # -
         # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
         # -
         if can_use_recent ; then
            $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \
               -m recent --name ftpdata_$i --set -j ACCEPT

            $ipt -A INPUT -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
               -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
         else

            warn "xt_recent not available; relaxing FTPS workaround for FTP server $_ip (opening passive range)."
            # Control connection
            $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT
            # Passive data ports (less strict without xt_recent)
            $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT
         fi

         # - Accept (helper ftp) related connections
         # -
         $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT

         ((i++))

      done
   fi

   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then

      for _ip in ${forward_ftp_server_ip_arr[@]} ; do

         # =====
         # -
         # - ip_conntrack_ftp cannot see the TLS-encrypted traffic
         # - ======================================================
         # -
         # - Workaround:
         # -    (1) add source ip to a 'recent list' named 'ftpdata_$i!  if ftp control connections appear
         # -    (2) accept packets of the formaly created recent list 'ftpdata_$i!
         # -
         # =====

         # - (1)
         # -
         # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
         # -
         if can_use_recent ; then
            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \
               -m recent --name ftpdata_$i --set -j ACCEPT

            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
               -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
               -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
         else
            warn "xt_recent not available; relaxing FTPS workaround for forwarded FTP server $_ip (opening passive range)."
            # Control connection to forwarded server
            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT

            # Passive data ports to server (less strict without xt_recent)
            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT

            # Return traffic from server passive ports
            $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -s $_ip --sport $ftp_passive_port_range \
               --dport 1024: -j ACCEPT
         fi

         # - Accept (helper ftp) related connections
         # -
         if can_use_helper_match; then
            $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
         else
            warn "helper match not available; allowing RELATED ftp data without helper restriction"
            $ipt -A FORWARD -m conntrack --ctstate RELATED -d $_ip -p tcp --dport 1024: -j ACCEPT
         fi
         if can_use_helper_match; then
            $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT
         else
            warn "helper match not available; allowing RELATED ftp data without helper restriction"
            $ipt -A FORWARD -m conntrack --ctstate RELATED -s $_ip -p tcp --sport 1024: -j ACCEPT
         fi

         ((i++))

      done
   fi

   echo_done
else
   echo_skipped
fi

#echononl "\t\tFTP Server"
#
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]]  ; then
#   if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
#      for _ip in ${ftp_server_ip_arr[@]} ; do
#            # (Datenkanal aktiv)
#            $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m conntrack --ctstate NEW -j ACCEPT
#            # Datenkanal (passiver modus)
#            $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#            # - Kontrollverbindung
#            $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      done
#   fi
#
#   if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
#      for _ip in ${forward_ftp_server_ip_arr[@]} ; do
#         # (Datenkanal aktiv)
#         $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
#         # Datenkanal (passiver modus)
#         $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#         # - Kontrollverbindung
#         $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#      done
#   fi
#
#   echo_done
#else
#   echo_skipped
#fi


# ---
# - XMPP Service (Jabber)
# ---

echononl "\t\tXMPP Service"

if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]]  ; then

   if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${xmpp_server_ip_arr[@]} ; do
         for _port in ${xmmp_tcp_in_port_arr[@]} ; do
            $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

         for _port in ${xmmp_tcp_out_port_arr[@]} ; do
   $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi


   if  [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_xmpp_server_ip_arr[@]} ; do
         for _port in ${xmmp_tcp_in_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done

         for _port in ${xmmp_tcp_out_port_arr[@]} ; do
            $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# -  XMPP Remote Dovecote Out Service
# ---

echononl "\t\tXMPP Remote Dovecote Out Service"

if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${xmmp_remote_out_service_arr[@]}" ; do
         IFS=':' read -a _val_arr <<< "${_val}"
   $ipt -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
      done
   done
   echo_done
else
   echo_skipped
fi


# ---
# - Mumble Service
# ---

echononl "\t\tMumble Service"


if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${mumble_server_ip_arr[@]} ; do
         $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_mumble_server_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Jitsi Video Conferencing Service
# ---

echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports"


if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${jitsi_server_ip_arr[@]} ; do
         if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
            $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
         fi
         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
         if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
            $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
         fi
         $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   echo_done
else
   echo_skipped
fi

echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
   if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${jitsi_server_ip_arr[@]} ; do
   $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
      done
   fi
   echo_done
else
   echo_skipped
fi

echononl "\t\tJitsi Meet Dovecot Authentication"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
   if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then
      if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
   $ipt -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT
      fi

      if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
         $ipt -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT
      fi
      echo_done
   else
      echo_skipped
   fi
else
   echo_skipped
fi

echononl "\t\tJitsi Remote Jibri Client"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \
      && $jitsi_jibri_remote_auth \
      && [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do
      $ipt -A INPUT -p tcp -s  $_ip --dport $jitsi_jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
   done

   echo_done
else
   echo_skipped
fi


# ---
# - Jibri Recording / Streaming Service
# ---

echononl "\t\tJibri Recording / Streaming Service"
if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]]; then

   if [[ -z "$jibri_remote_jitsi_server" ]]; then
      echo_skipped
   else
      if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then
         for _ip in ${jibri_server_ip_arr[@]} ; do
   $ipt -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range  -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports  -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
         for _ip in ${forward_jibri_server_ip_arr[@]} ; do
            $ipt -A FORWARD -p tcp -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
            $ipt -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range  -m conntrack --ctstate NEW -j ACCEPT
            $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports  -m conntrack --ctstate NEW -j ACCEPT
         done
      fi

      echo_done
   fi
else
   echo_skipped
fi


# ---
# - TURN Service (for NC Talk App)
# ---

echononl "\t\tTURN Service (for NC Talk App) both: udp and tcp"

if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]]  ; then

   if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${nc_turn_server_ip_arr[@]} ; do
         $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi

   if  [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do
         $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
      done
   fi


   echo_done
else
   echo_skipped
fi


# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---

echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - NTP out only"
# ---

echononl "\t\tNTP out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port  -m conntrack --ctstate NEW -j ACCEPT
   $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port  -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port  -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port  -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - NTP local Service"
# ---

echononl "\t\tNTP local Service"
if [[ -n "$local_ntp_service" ]] && $local_ntp_service  ; then
   if [[ -z "$ntp_allowed_net" ]] ; then
      echo_failed
   else
   $ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
      $ipt -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
      echo_done
   fi
else
   echo_skipped
fi


# ---
# - LDAP out only
# ---

echononl "\t\tLDAP out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - LDAPS out only
# ---

echononl "\t\tLDAPS out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done




# ---
# - Whois out only
# ---

echononl "\t\tWhois out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - PGP Keyserver  out only
# ---

echononl "\t\tPGP/GPG Key server - out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done


# ---
# - GIT out only
# ---

echononl "\t\tGIT out only"

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT
   fi
done

echo_done
echo


# ---
# - Special TCP Ports OUT
# ---

echononl "\t\tSpecial TCP Ports OUT"

if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then

   if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then

      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${tcp_out_port_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p tcp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${tcp_out_port_arr[@]} ; do
            $ipt -A FORWARD -o $_dev -p tcp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Special UDP Ports OUT
# ---

echononl "\t\tSpecial UDP Ports OUT"

if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
   if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${udp_out_port_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p udp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
      for _dev in ${ext_if_arr[@]} ; do
         for _port in ${forward_udp_out_port_arr[@]} ; do
            $ipt -A FORWARD -o $_dev -p udp --dport $_port  -m conntrack --ctstate NEW -j ACCEPT
         done
      done
   fi

   echo_done
else
   echo_skipped
fi

echo

# -------------
# --- Portforwarding
# -------------

# ---
# - Portforwarding TCP
# ---

echononl "\t\tPortforwarding TCP"

if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] ; then
   for _val in "${portforward_tcp_arr[@]}" ; do

      # - Split value
      # -
      IFS=':' read -a _val_arr <<< "${_val}"

      # - Allow Packets IN
      # -
      $ipt -A INPUT -i ${_val_arr[0]} -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      # - Allow Packets FORWARD
      # -
      $ipt -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[3]} --dport ${_val_arr[4]} -m conntrack --ctstate NEW -j ACCEPT

      _job_id="$(ps ax | grep "TCP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]}" | grep -v grep  | awk '{print$1}')"
      if [[ -n "$_job_id" ]]; then
         kill ${_job_id} > /dev/null 2>&1
      fi

      socat TCP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]} TCP:${_val_arr[3]}:${_val_arr[4]} &

   done
   echo_done
else
   echo_skipped
fi

echononl "\t\tPortforwarding UDP"

if [[ ${#portforward_udp_arr[@]} -gt 0 ]] ; then
   for _val in "${portforward_udp_arr[@]}" ; do

      # - Split value
      # -
      IFS=':' read -a _val_arr <<< "${_val}"

      # - Allow Packets IN
      # -
      $ipt -A INPUT -i ${_val_arr[0]} -p udp -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT

      # - Allow Packets FORWARD
      # -
      $ipt -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[3]} --dport ${_val_arr[4]} -m conntrack --ctstate NEW -j ACCEPT

      _job_id="$(ps ax | grep "UDP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]}" | grep -v grep  | awk '{print$1}')"
      if [[ -n "$_job_id" ]]; then
         kill ${_job_id} > /dev/null 2>&1
      fi

      socat UDP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]} UDP:${_val_arr[3]}:${_val_arr[4]} &

   done
   echo_done
else
   echo_skipped
fi


echo

# ---
# - UNIX Traceroute
# ---

echononl "\t\tUNIX Traceroute"

#   versendet udp packete im gegensatz zu tracert von windows
#   der icmp-echo-request pakete versendet
#   einige implementierungen von traceroute (linux) erm�lichens
#   die option -I und versenden dann ebenfalls icmp-echo-request pakete

for _dev in ${ext_if_arr[@]} ; do
   $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   if $kernel_activate_forwarding ; then
      $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
      $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
   fi
done

echo_done


# ---
# - Ping
# ---

echononl "\t\tPing"

$ipt -A INPUT -p icmp -j ACCEPT
   $ipt -A OUTPUT -p icmp -j ACCEPT
if $kernel_activate_forwarding ; then
   $ipt -A FORWARD  -p icmp -j ACCEPT
fi

#for _dev in ${ext_if_arr[@]} ; do
#   $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
#   $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
#   if $kernel_activate_forwarding ; then
#      $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
#      $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
#   fi
#done
#for _dev in ${local_if_arr[@]} ; do
#   $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
#   $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
#   if $kernel_activate_forwarding ; then
#      $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
#      $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
#   fi
#done

echo_done


# ---
# - log all rejected traffic
# ---

echo
echononl "\tLogging all rejected traffic"

if $log_rejected || $log_all ; then
   $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
   $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
   $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"

   if $kernel_activate_forwarding ; then
      #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
      $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
   fi

   echo_done
else
   echo_skipped
fi


# ---
# - Drop all other
# ---

echo
echononl "\tDrop all other on all interfaces"

$ipt -A INPUT -j DROP
   $ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP

echo_done



# -------------
# ------------- Reload Fail2Ban if installed
# -------------

if ${FAIL2BAN_WAS_RUNNING}; then
   echo
   echononl "\tReloading fail2ban.."
   $fail2ban_client reload > /dev/null 2>&1
   if [ "$?" = "0" ]; then
      echo_done
   else
      # Fallback: reload + restart jails if needed
      $fail2ban_client reload --restart > /dev/null 2>&1
      if [ "$?" = "0" ]; then
         echo_done
      else
         echo_skipped
         warn "Fail2ban reload failed. Leaving fail2ban unchanged. Check: fail2ban-client -d and /var/log/fail2ban.log"
      fi
   fi
else
   # fail2ban not running before; do not start it here
   :
fi

echo
exit 0



# ------------ Portforwarding ------------- #
# -
# - !! NOTICE:
# -   you need also portforwarding enabled at the kernel
# -      echo 1 >/proc/sys/net/ipv4/ip_forward
#
#
# ----------------------------------------------
# <old-ip>:<old-port> --> <new-ip>:<new-port>:80
# ----------------------------------------------
#
#$ipt -A FORWARD [-i <iface>] -p tcp --dport <new-port> -d <new-ip>  -j ACCEPT
#$ipt -A FORWARD [-o <iface>] -p tcp --sport <new-port> -s <new-ip> -j ACCEPT
#
#$ipt -t nat -A PREROUTING [-i <iface>] -p tcp --dport <old-port> [-d <old-ip>] -j DNAT --to-destination <new-ip>:<new-port>
#$ipt -t nat -A POSTROUTING -d <new-ip> -j MASQUERADE
#
#
# -----------------------------------------------
# www-alt.oopen.de --> www-neu.oopen.de
#
# 46.4.129.3:80  --> 83.223.86.130:80
# 46.4.129.3:443 --> 83.223.86.130:443
# -----------------------------------------------
#
#$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT
#$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT
#
#$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
#
# -
# ---------- Ende Portforwarding ---------- #

