#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org 

START=39

########### IPTABLES ##############
BOOTFILE="/tmp/init_iptables"
boot() {
	##### RAW tables
	iptables -t raw -N PREROUTING_VS
	iptables -t raw -N PPTP_L2L_RULE
	iptables -t raw -A PREROUTING -j PREROUTING_VS
	iptables -t raw -A PREROUTING -j PPTP_L2L_RULE
	
	##### NAT tables
	iptables -t nat -N MANAGE_WAN
	#iptables -t nat -N RULE_BASED_N
	iptables -t nat -N USER_BASED_N
	iptables -t nat -N IPF_SET_MARK
	iptables -t nat -N URLF_BLOCKPAGE
	iptables -t nat -N PRE_NAT_FUNCS
	iptables -t nat -N nat_portredirect
	iptables -t nat -N nat_dmz
	iptables -t nat -N nat_dmz_loopback
	iptables -t nat -N MINIUPNPD
	iptables -t nat -N MINIUPNPD_LOOPBACK
	iptables -t nat -N IPSEC_LB_RULE
	iptables -t nat -N nat_portredirect2
	iptables -t nat -N nat_addressmap
	iptables -t nat -N exception_subnet
	iptables -t nat -N nat_post_route
	iptables -t nat -N SIPALG
	
	iptables -t nat -A PREROUTING -j MANAGE_WAN
	#iptables -t nat -A PREROUTING -j RULE_BASED_N
	iptables -t nat -A PREROUTING -j IPF_SET_MARK
	iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -m mark ! --mark 0x10000000/0x10000000 -j USER_BASED_N
	iptables -t nat -A PREROUTING -p udp --dport 53 -m mark ! --mark 0x10000000/0x10000000 -j USER_BASED_N
	iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -m mark ! --mark 0x10000000/0x10000000 -j URLF_BLOCKPAGE
	iptables -t nat -A PREROUTING -j PRE_NAT_FUNCS
		iptables -t nat -A PRE_NAT_FUNCS -j nat_portredirect
		iptables -t nat -A PRE_NAT_FUNCS -j MINIUPNPD
		iptables -t nat -A PRE_NAT_FUNCS -j nat_dmz
	
			#Accept vpn packets
	iptables -t nat -A POSTROUTING -j IPSEC_LB_RULE
	iptables -t nat -A POSTROUTING -j exception_subnet
			#MASQURADE/SNAT are termination targets, priority follows top to down
	iptables -t nat -A POSTROUTING -j nat_addressmap
	iptables -t nat -A POSTROUTING -j nat_portredirect2
	iptables -t nat -A POSTROUTING -m set --set lan_nat_subnet src -j MINIUPNPD_LOOPBACK
	iptables -t nat -A POSTROUTING -j nat_dmz_loopback
	iptables -t nat -A POSTROUTING -j nat_post_route
	
	##### MANGLE tables
	iptables -t mangle -N NAT_ROUTE_PREROUTING
	iptables -t mangle -N MANAGE_WAN
	iptables -t mangle -N BYPASS_TR069_IN
	iptables -t mangle -N BYPASS_TR069_OUT
	iptables -t mangle -N LB_RULE
	iptables -t mangle -N MAC_BLOCK  
	iptables -t mangle -N BLOCKDIRECTNAT
	iptables -t mangle -N nat_addressmap
	iptables -t mangle -N LANROUTE
	iptables -t mangle -N LB_ISP
	iptables -t mangle -N IPSEC_LB_RULE
	iptables -t mangle -N ROUTE_DOWN_DROP
	iptables -t mangle -N TCPMSS_FORWARD
	iptables -t mangle -N PPTP_TCPMSS
	iptables -t mangle -N IP_FILTER
	iptables -t mangle -N OUTPUT_WAN
	iptables -t mangle -N PPTP_L2L_RULE
	iptables -t mangle -N IMO_SKYPE
	iptables -t mangle -N KWO_DNS_EXT
	iptables -t mangle -N WAN_TCPMSS
	iptables -t mangle -N CTMARK
#	iptables -t mangle -N PRE_FPP_POLICY
	iptables -t mangle -N FPP_POLICY
	iptables -t mangle -N SW_QOS_WAN
	iptables -t mangle -N DMZ_ACCESS_ZONE
	iptables -t mangle -N DMZ_DROP_ZONE
	
	iptables -t mangle -A PREROUTING -j NAT_ROUTE_PREROUTING
	iptables -t mangle -A PREROUTING -j MANAGE_WAN
	iptables -t mangle -A PREROUTING -j BYPASS_TR069_IN
			#PREROUTING DROP rule sets
	iptables -t mangle -A PREROUTING -j MAC_BLOCK
	iptables -t mangle -A PREROUTING -j BLOCKDIRECTNAT
			#LB Policy rule sets
	iptables -t mangle -A PREROUTING -j LB_ISP
	iptables -t mangle -A PREROUTING -j LB_RULE
	iptables -t mangle -A PREROUTING -j nat_addressmap
	iptables -t mangle -A PREROUTING -j IPSEC_LB_RULE
			#DMZ ACCESS ZONE
	iptables -t mangle -A PREROUTING -j DMZ_ACCESS_ZONE
		iptables -t mangle -A DMZ_ACCESS_ZONE -j DMZ_DROP_ZONE
		
			#DROP packets forwarded to down status WANs
	iptables -t mangle -A FORWARD -j ROUTE_DOWN_DROP
			#TCP MSS
	iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS_FORWARD
	iptables -t mangle -A FORWARD -j PPTP_TCPMSS
			#IP Filter pre-mark handling
	iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -t mangle -A FORWARD -j IP_FILTER
	
			#LB Policy rule sets
	iptables -t mangle -A OUTPUT -j OUTPUT_WAN
	iptables -t mangle -A OUTPUT -j BYPASS_TR069_OUT
	iptables -t mangle -A OUTPUT -j LB_ISP
	#iptables -t mangle -A OUTPUT -j LB_RULE	Don't effect pkt from local, or we need extra NAT mechanism
	iptables -t mangle -A OUTPUT -j nat_addressmap
	iptables -t mangle -A OUTPUT -j PPTP_L2L_RULE
	iptables -t mangle -A OUTPUT -j IPSEC_LB_RULE
	
			#DNS Response Monitor
	iptables -t mangle -A POSTROUTING -p udp --sport 53 -j IMO_SKYPE
	iptables -t mangle -A POSTROUTING -p udp --sport 53 -j KWO_DNS_EXT
	iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j WAN_TCPMSS
			#LB Policy rule, transform packet mark to conntrack mark
	iptables -t mangle -A POSTROUTING -j CTMARK
			#FPP POLICY
	iptables -t mangle -A POSTROUTING -j FPP_POLICY
	iptables -t mangle -A POSTROUTING -j SW_QOS_WAN
	
	##### FILTER tables
	iptables -N MANAGE_WAN
	iptables -N ACC_CTRL
	iptables -N PPTP_CTRL
	iptables -N L2TP_CTRL
	iptables -N SNMP_CTRL
	iptables -N TR069_CTRL
	iptables -N USER_BASED_F
	iptables -N FORWARD_CONNLIMIT
	iptables -N IP_FILTER_POST
	iptables -N IPF_PPPOE
	iptables -N IPF_PPP
	iptables -N IMP2P_CK
	iptables -N URL_FILTER
	iptables -N MINIUPNPD
	iptables -N QQ_FILTER
	#iptables -N FILTER_POLICY
	
			#Remote access local machine control sets
	iptables -A INPUT -j MANAGE_WAN
	iptables -A INPUT -j ACC_CTRL
	iptables -A INPUT -j PPTP_CTRL
	iptables -A INPUT -j L2TP_CTRL
	iptables -A INPUT -j SNMP_CTRL
	iptables -A INPUT -j TR069_CTRL
	
			#IP Filter POST handling
	iptables -A FORWARD -j IP_FILTER_POST
			#User-based firewall management whitelist handling
	iptables -A FORWARD -j USER_BASED_F
			#Session limit control
	iptables -A FORWARD -j FORWARD_CONNLIMIT
			#PPPOE Server Filtering
	iptables -A FORWARD -j IPF_PPPOE
			#Other Firewall Filtering sets
	iptables -A FORWARD -o wan+ -j IMP2P_CK
	iptables -A FORWARD -o wan+ -p tcp -m multiport --dport 80,443 -j URL_FILTER
	iptables -A FORWARD -o wan+ -j QQ_FILTER
			#Accept UPNP
	iptables -A FORWARD -j MINIUPNPD
	#iptables -A FORWARD -o wan+ -m connmark --mark 0x00000000/0x70000000 -j FILTER_POLICY
	
########### IP6TABLES ##############
	ip6tables -N ACC6_CTRL
	ip6tables -N PPTP6_CTRL
	ip6tables -N L2TP6_CTRL
	ip6tables -N SNMP6_CTRL
	ip6tables -N TR069_CTRL6
	
	##### FILTER tables
	ip6tables -A INPUT -j ACC6_CTRL
	ip6tables -A INPUT -j PPTP6_CTRL
	ip6tables -A INPUT -j L2TP6_CTRL
	ip6tables -A INPUT -j SNMP6_CTRL
	ip6tables -A INPUT -j TR069_CTRL6
}
