#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org 

START=39

########### IPTABLES ##############
BOOTFILE="/tmp/init_iptables"
boot() {
	##### RAW tables
	iptables -t raw -N PREROUTING_VS
	iptables -t raw -N PPTP_L2L_RULE
	iptables -t raw -A PREROUTING -j PREROUTING_VS
	iptables -t raw -A PREROUTING -j PPTP_L2L_RULE
	
	##### NAT tables
	iptables -t nat -N MANAGE_WAN
	#iptables -t nat -N RULE_BASED_N
	iptables -t nat -N DNS_REDIRECT
	iptables -t nat -N USER_BASED_N
	iptables -t nat -N IPF_SET_MARK
	iptables -t nat -N URLF_BLOCKPAGE
	iptables -t nat -N PRE_NAT_FUNCS
	iptables -t nat -N nat_portredirect
	iptables -t nat -N nat_dmz
	iptables -t nat -N nat_dmz_loopback
	iptables -t nat -N MINIUPNPD
	iptables -t nat -N MINIUPNPD_LOOPBACK
	iptables -t nat -N IPSEC_LB_RULE
	iptables -t nat -N nat_portredirect2
	iptables -t nat -N nat_addressmap
	iptables -t nat -N exception_subnet
	iptables -t nat -N nat_post_route
	iptables -t nat -N SIPALG
	iptables -t nat -N nat_portredirectVPN
	
	iptables -t nat -A PREROUTING -j MANAGE_WAN
	#iptables -t nat -A PREROUTING -j RULE_BASED_N
	iptables -t nat -A PREROUTING -j DNS_REDIRECT
	iptables -t nat -A PREROUTING -j IPF_SET_MARK
	iptables -t nat -A PREROUTING -i lan+ -p tcp -m multiport --dport 80,443 -m mset ! --set logined_user_ip src ! --set all_interface_lan dst -m mark ! --mark 0x10000000/0x10000000 -j USER_BASED_N
	iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -m mark ! --mark 0x10000000/0x10000000 -j URLF_BLOCKPAGE
	iptables -t nat -A PREROUTING -j PRE_NAT_FUNCS
		iptables -t nat -A PRE_NAT_FUNCS -j nat_portredirect
		extiface=`uci get upnpd.config.external_iface`
		iptables -t nat -A PRE_NAT_FUNCS -i wan-$extiface -j MINIUPNPD
		iptables -t nat -A PRE_NAT_FUNCS -j nat_dmz
	
			#Accept vpn packets
	iptables -t nat -A POSTROUTING -j IPSEC_LB_RULE
	iptables -t nat -A POSTROUTING -j nat_portredirectVPN
	iptables -t nat -A POSTROUTING -j exception_subnet
			#MASQURADE/SNAT are termination targets, priority follows top to down
	iptables -t nat -A POSTROUTING -j nat_addressmap
	iptables -t nat -A POSTROUTING -j nat_portredirect2
	iptables -t nat -A POSTROUTING -m set --set lan_nat_subnet src -j MINIUPNPD_LOOPBACK
	iptables -t nat -A POSTROUTING -j nat_dmz_loopback
	iptables -t nat -A POSTROUTING -j nat_post_route
	
	##### MANGLE tables
	iptables -t mangle -N NAT_ROUTE_PREROUTING
	iptables -t mangle -N MANAGE_WAN
	iptables -t mangle -N BYPASS_TR069_IN
	iptables -t mangle -N BYPASS_TR069_OUT
	iptables -t mangle -N LB_RULE
	iptables -t mangle -N MAC_BLOCK  
	iptables -t mangle -N BLOCKDIRECTNAT
	iptables -t mangle -N nat_addressmap
	#iptables -t mangle -N LANROUTE
	iptables -t mangle -N LB_ISP
	iptables -t mangle -N IPSEC_LB_RULE
	iptables -t mangle -N ROUTE_DOWN_DROP
	iptables -t mangle -N TCPMSS_FORWARD
	iptables -t mangle -N PPTP_TCPMSS
	iptables -t mangle -N IP_FILTER
	iptables -t mangle -N OUTPUT_WAN
	iptables -t mangle -N PPTP_L2L_RULE
	iptables -t mangle -N IMO_SKYPE
	iptables -t mangle -N KWO_DNS_EXT
	iptables -t mangle -N WAN_TCPMSS
	iptables -t mangle -N CTMARK
#	iptables -t mangle -N PRE_FPP_POLICY
	iptables -t mangle -N FPP_POLICY
	iptables -t mangle -N SW_QOS_WAN
	iptables -t mangle -N DMZ_ACCESS_ZONE
	iptables -t mangle -N DMZ_DROP_ZONE
	
	iptables -t mangle -A PREROUTING -j NAT_ROUTE_PREROUTING
	iptables -t mangle -A PREROUTING -j MANAGE_WAN
	iptables -t mangle -A PREROUTING -j BYPASS_TR069_IN
			#PREROUTING DROP rule sets
	iptables -t mangle -A PREROUTING -j MAC_BLOCK
	iptables -t mangle -A PREROUTING -j BLOCKDIRECTNAT
			#LB Policy rule sets
	iptables -t mangle -A PREROUTING -j LB_ISP
	iptables -t mangle -A PREROUTING -j LB_RULE
	iptables -t mangle -A PREROUTING -j nat_addressmap
	iptables -t mangle -A PREROUTING -j IPSEC_LB_RULE
			#DMZ ACCESS ZONE
	iptables -t mangle -A PREROUTING -j DMZ_ACCESS_ZONE
		iptables -t mangle -A DMZ_ACCESS_ZONE -j DMZ_DROP_ZONE
		
			#DROP packets forwarded to down status WANs
	iptables -t mangle -A FORWARD -j ROUTE_DOWN_DROP
			#TCP MSS
	iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS_FORWARD
	iptables -t mangle -A FORWARD -j PPTP_TCPMSS
			#IP Filter pre-mark handling
	iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -t mangle -A FORWARD -j IP_FILTER
	
	#mangle INPUT table
	iptables -t mangle -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	#G48163: make packets from LAN or packets from lo bypass IP Filter when they are going to local
	iptables -t mangle -A INPUT -m set --set lan_net_set src -j ACCEPT
	iptables -t mangle -A INPUT -s 127.0.0.1 -j ACCEPT
	iptables -t mangle -A INPUT -j IP_FILTER #G47857, INPUT needs country block

			#LB Policy rule sets
	iptables -t mangle -A OUTPUT -j OUTPUT_WAN
	iptables -t mangle -A OUTPUT -j BYPASS_TR069_OUT
	iptables -t mangle -A OUTPUT -j LB_ISP
	#iptables -t mangle -A OUTPUT -j LB_RULE	Don't effect pkt from local, or we need extra NAT mechanism
	iptables -t mangle -A OUTPUT -j nat_addressmap
	iptables -t mangle -A OUTPUT -j PPTP_L2L_RULE
	iptables -t mangle -A OUTPUT -j IPSEC_LB_RULE
	
			#DNS Response Monitor
	iptables -t mangle -A POSTROUTING -p udp --sport 53 -j IMO_SKYPE
	iptables -t mangle -A POSTROUTING -p udp --sport 53 -j KWO_DNS_EXT
	iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j WAN_TCPMSS
			#LB Policy rule, transform packet mark to conntrack mark
	iptables -t mangle -A POSTROUTING -j CTMARK
			#FPP POLICY
	iptables -t mangle -A POSTROUTING -j FPP_POLICY
	iptables -t mangle -A POSTROUTING -j SW_QOS_WAN
	
	##### FILTER tables
	iptables -N MANAGE_WAN
	iptables -N ACC_CTRL_AL		#this is for user-defined access list
	iptables -N IPF_INPUT
	iptables -N ACC_CTRL
	iptables -N PPTP_CTRL
	iptables -N L2TP_CTRL
	iptables -N SNMP_CTRL
	iptables -N TR069_CTRL
	iptables -N BGP_CTRL
	iptables -N USER_BASED_F
	iptables -N FORWARD_CONNLIMIT
	iptables -N IP_FILTER_POST
	iptables -N IPF_PPPOE
	iptables -N IPF_PPP
	iptables -N IMP2P_CK
	iptables -N URL_FILTER
	iptables -N MINIUPNPD
	iptables -N QQ_FILTER
	iptables -N IF_NO_MATCH
	iptables -N FILTER_POLICY
	iptables -N LANROUTE
	iptables -N IGMP_CTRL
	
			#Remote access local machine control sets
	iptables -A INPUT -j MANAGE_WAN
	iptables -A INPUT -j IGMP_CTRL
	iptables -A INPUT -j ACC_CTRL_AL
	iptables -A INPUT -j PPTP_CTRL
	iptables -A INPUT -j L2TP_CTRL
	iptables -A INPUT -j SNMP_CTRL
	iptables -A INPUT -j TR069_CTRL
	iptables -A INPUT -j BGP_CTRL
	#IPF_INPUT can only effect access control
	iptables -A INPUT -j IPF_INPUT
	iptables -A INPUT -i wan+ -m mset ! --set exception_subnet_set src ! --set exception_subnet_gre_set src -j ACC_BARRIER
	iptables -A INPUT -j ACC_CTRL
	
			#IP Filter POST handling
	iptables -A FORWARD -j IP_FILTER_POST
			#User-based firewall management whitelist handling
	iptables -A FORWARD -i lan+ -j USER_BASED_F
			#Session limit control
	iptables -A FORWARD -j FORWARD_CONNLIMIT
			#PPPOE Server Filtering
	iptables -A FORWARD -j IPF_PPPOE
			#Other Firewall Filtering sets
	iptables -A FORWARD -j IMP2P_CK #APPE needs to monitor reply from wan+
	iptables -A FORWARD -o wan+ -p tcp -m multiport --dport 80,443 -j URL_FILTER
	iptables -A FORWARD -o wan+ -j QQ_FILTER
			#Accept UPNP
	iptables -A FORWARD -j MINIUPNPD
			#Handle IF_NO_MATCH
	iptables -A FORWARD -j IF_NO_MATCH
			#Add FILTER_POLICY
	iptables -A FORWARD -o wan+ -j FILTER_POLICY
	
########### IP6TABLES ##############
	##### MANGLE FORWARD tables
	ip6tables -t mangle -N IP6_FILTER
	#----
	ip6tables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	ip6tables -t mangle -A FORWARD -j IP6_FILTER

	##### MANGLE POSTROUTING tables
	ip6tables -t mangle -N FPP_POLICY
	#----
	ip6tables -t mangle -A POSTROUTING -j FPP_POLICY

	##### FILTER INPUT tables
	ip6tables -N ACC6_CTRL
	ip6tables -N PPTP6_CTRL
	ip6tables -N L2TP6_CTRL
	ip6tables -N SNMP6_CTRL
	ip6tables -N TR069_CTRL6
	#----
	ip6tables -A INPUT -j ACC6_CTRL
	ip6tables -A INPUT -j PPTP6_CTRL
	ip6tables -A INPUT -j L2TP6_CTRL
	ip6tables -A INPUT -j SNMP6_CTRL
	ip6tables -A INPUT -j TR069_CTRL6
	
	##### FILTER FORWARD tables
	ip6tables -N IP6_F_POST
	#----
	ip6tables -A FORWARD -j IP6_F_POST
	ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	ip6tables -A FORWARD -i wan+ -j DROP
}
