#!/bin/bash


. /ips/setup/.config
. /ips/ip2/.functions

DIR=/ips

   if [ "$QOS_BRIDGE" = "1" ]; then
     IDEV="-m physdev --physdev-in $ANYDEV"
   else
     IDEV="-i $ANYDEV"
   fi    

# 2008
for MA in $ALL; do 

   if [ "$ADR" = "$MA" ]; then
     continue
   fi   

   i=${SUBNET}${MA}

maybeali $MA

   if [ "$ALIIP" != ""  ]; then
      # nr > 254 can be a computer with IP ALIP
      i="$ALIIP" 
   else
      Z=$[ MA > 254 ]
      if [ "$Z" = "1" ]; then
        continue
      fi   
      if [ -f /ips/gro/c-$MA ]; then
      # class
        continue
      fi
      if [ -f /ips/gro/s-$MA ]; then
      # class
        continue
      fi
    fi


   if [  -f "/ips/ips/$MA-b" ]; then

   echo -n "connmarking $i with 4096 : " 
rulei "PREROUTING -t mangle -s $i -j CONNMARK --set-mark 4096"
rulei "FORWARD -t mangle -d $i -j CONNMARK --set-mark 4096"

   fi    

  
   if [ ! -f "/ips/ips/$MA-w" ]; then
       continue
   fi    

   echo -n "denying to $i : " 
#   COM="FORWARD -i $ANYDEV -d $i -m conntrack --ctstate ! RELATED,ESTABLISHED,SNAT,DNAT -j REJECT"
#   COM="FORWARD -i $ANYDEV -d $i -m conntrack --ctstate  NEW,INVALID -j REJECT"

   COM="FORWARD -d $i $IDEV -m conntrack --ctstate  NEW,INVALID -j REJECT"
   rulei "$COM"


done



