#!/bin/bash


. /ips/setup/.config
. /ips/ip2/.functions

DIR=/ips
  

#rule "-t mangle -N INLIMIT"
#rule "-t mangle -A INLIMIT -j RETURN"


for MA in $ALL; do 

   if [ "$ADR" = "$MA" ]; then
     continue
   fi   

   i=${SUBNET}${MA}

maybeali $MA

   if [ "$ALIIP" != ""  ]; then
      # nr > 254 can be a computer with IP ALIP
      i="$ALIIP" 
   else
      Z=$[ MA > 254 ]
      if [ "$Z" = "1" ]; then
        continue
      fi   
      if [ -f /ips/gro/c-$MA ]; then
      # class
        continue
      fi
      if [ -f /ips/gro/s-$MA ]; then
      # class
        continue
      fi
    fi


if [ "$TOTAL_LIMITS" != "1" ]; then

CON=`cat $IPS/con.out/$MA 2> /dev/null`
if [ "$CON" != "" ]; then
    rule "-I FORWARD -p tcp --syn -s $i -m connlimit --connlimit-above $CON -j REJECT"
fi

CON=`cat $IPS/con.in/$MA 2> /dev/null`
if [ "$CON" != "" ]; then
     rule "-I FORWARD -p tcp --syn -d $i -m connlimit --connlimit-above $CON -j REJECT"
fi

LIM=`cat $IPS/con.out/$MA-l 2> /dev/null`
if [ "$LIM" != "" ]; then
    rule "-I FORWARD -t mangle  -p tcp --syn -s $i -j DROP"
    rule "-I FORWARD -t mangle  -p tcp --syn -s $i -m limit --limit $LIM/s -j ACCEPT"

fi

LIM=`cat $IPS/con.in/$MA-l 2> /dev/null`
if [ "$LIM" != "" ]; then
    rule "-I FORWARD -t mangle  -p tcp --syn -d $i -j DROP"
    rule "-I FORWARD -t mangle  -p tcp --syn -d $i -m limit --limit $LIM/s -j ACCEPT"

fi

LIM=`cat $IPS/con.out/$MA-u 2> /dev/null`
if [ "$LIM" != "" ]; then
    rule "-I FORWARD -t mangle -p udp -s $i -j DROP"
    rule "-I FORWARD -t mangle -p udp -s $i -m limit --limit $LIM/s -j ACCEPT"
fi

LIM=`cat $IPS/con.in/$MA-u 2> /dev/null`
if [ "$LIM" != "" ]; then
    rule "-I FORWARD -t mangle -p udp -d $i -j DROP"
    rule "-I FORWARD -t mangle -p udp -d $i -m limit --limit $LIM/s -j ACCEPT"
fi

fi

rule "-I PREROUTING -t mangle -s $i -j MARK --set-mark $MA"
if [ "$QOS_BRIDGE" = "1" ]; then
   MA2=$[ MA + 1024 ]
   rule "-I PREROUTING -t mangle -m physdev --physdev-in $ANYDEV -d $i -m mark --mark 0 -j MARK --set-mark $MA2"
   #rule "-I PREROUTING -t mangle -d $i -m mark ! --mark 256/0xfffc -j MARK --set-mark $MA2"
fi    

   if [ "$i" != "" ]; then
     echo -n "setting nat for $i ... "
   fi     

    MAC=`cat $IPS/mac/$MA 2> /dev/null`
    if [ "$MAC" != "" ]; then
          echo -n " ( mac $MAC ) "
          rule "-I INPUT -s $i -m mac --mac-source ! $MAC -j DROP"
          rule "-I FORWARD -s $i -m mac --mac-source ! $MAC  -j DROP"
          # ! 
          #rule " -I PREROUTING -s $i -m mac --mac-source ! $MAC -j REJECT"
    fi


   if [  -f /ips/ips/$MA-r ]; then
    NOSNAT=1
   else
    NOSNAT=
   fi

   if [ "$NOSNAT" = "" ]; then

      if [ "$IPS_LAN2" = "1" ]; then
            LAN2="! -d $OURNET"
      else
            LAN2=""
      fi

      #-p ! 47

      if [ "$ALINAT" != "" ]; then
        rule "-I POSTROUTING -t nat -s $i $LAN2 -j SNAT --to-source $ALINAT"
      else
        rule "-I POSTROUTING -t nat -s $i $LAN2 -j SNAT --to-source $OURIP"
      fi
        
      if [ "$i" != "" ]; then
         echo "ok"
      fi
   else
         echo "no snat"
   fi
         
    ADM=`cat $IPS/ips/$MA-a 2> /dev/null`

    if [  "$ADM" != ""  ]; then

      X=ADMIN_IP$ADM    
      URL=${!X}
      if [  "$URL" != ""  ]; then

          rule "-I PREROUTING -t nat -p tcp -s $i --dport 80 -d ! $OURNET \
                    -j DNAT --to-destination $URL"

          XPORT=`echo $URL | cut -f2-2 -d ":"`
          XIP=`echo $URL | cut -f1-1 -d ":"`
	  if [ "$XPORT" = "$XIP" ]; then
	        XPORT=80
	  fi

          rule "-I INPUT -p tcp -s $i --dport $XPORT -d $XIP -j ACCEPT"
    
      fi
 
   fi
   
   
done

