#!/bin/bash

source firewall_base.sh
source firewall_badguys.sh

# Variable names for reference:

# dmz network
# centos_ecom / ubuntu_dns

# internal network
# win_2003_ftp / debian_email / win_2008_dfs / win_2008_ad

# workstations
# ubuntu_ws / win_7_ws / xp_pro_ws

# Totally trust network
#iptables -A NORMAL -m conntrack --ctstate NEW -s "$extended_network" -d "$extended_network" -j ACCEPT
#iptables -A NORMAL -m conntrack --ctstate NEW -s "$external_network" -d "$extended_network" -j ACCEPT
#iptables -A NORMAL -m conntrack --ctstate NEW -s "$external_network" -d "$external_network" -j ACCEPT
#iptables -A NORMAL -m conntrack --ctstate NEW -s "$extended_network" -d "$external_network" -j ACCEPT

#iptables -A NORMAL -m conntrack --ctstate INVALID -j ACCEPT

# ssh
#accept_new INPUT "$any_ip" "$ubuntu_dns" tcp ssh
#accept_new FORWARD "$any_ip" "$centos_ecom" tcp ssh

# Something to copy
#iptables -A NORMAL_OUT -d X -s Y -m conntrack --ctstate NEW -m multiport -p tcp --dports http,https -j ACCEPT

# mysql in from centos ecom
accept_new INPUT "$centos_ecom" "$ubuntu_dns" tcp 3306
accept_new INPUT "$centos_ecom_ext" "$ubuntu_dns" tcp 3306

# dns in
accept_new INPUT "$any_ip" "$ubuntu_dns" udp domain
#accept_new INPUT "$any_ip" "$ubuntu_dns" tcp domain

# stuff for 2008 r2

# dns in
accept_new FORWARD "$any_ip" "$win_2008_ad" udp domain
#accept_new FORWARD "$any_ip" "$win_2008_ad" tcp domain

# ldap (and mdns) in from debian email
accept_new FORWARD "$debian_email" "$win_2008_ad" tcp 389,636
accept_new FORWARD "$debian_email" "$win_2008_ad" udp 389,636,5353
accept_new FORWARD "$debian_email" "$win_2008_ad_ext" tcp 389,636
accept_new FORWARD "$debian_email" "$win_2008_ad_ext" udp 389,636,5353

# ldap in from centos ecom
accept_new FORWARD "$centos_ecom" "$win_2008_ad" tcp 389,636
accept_new FORWARD "$centos_ecom" "$win_2008_ad" udp 389,636
accept_new FORWARD "$centos_ecom" "$win_2008_ad_ext" tcp 389,636
accept_new FORWARD "$centos_ecom" "$win_2008_ad_ext" udp 389,636

# ftp to dfs
accept_new NORMAL_OUT "$lan_network" "$win_2008_dfs" tcp ftp

# to internet
accept_new DEST_INET "$lan_network" "$any_ip" udp domain
accept_new DEST_INET "$lan_network" "$any_ip" tcp http,https