#!/bin/bash

echo This module has been obsoleted by the simple test for 0:255 in the
echo first byte past the tcp header - thanks Don!

exit

Me='synlength'
MyVersion='0.1'


Action="$1"
case "$Action" in
start)
	echo "Starting $Me"
	iptables -N $Me

	#OK, serious brain bender time.  I want to check that there's no
	#payload on a syn or syn/ack.  Easy, right?  Well, we have to use the u32
	#module and this gets really wierd.  By now we already know the syn
	#flag is set.

	#For simplicity, I'm going to assume we're already blocking
	#packets with IP options.  If we later allow these, we'll need
	#to expand the table with IP header lengths longer than 20.

	iptables -A $Me -m ipv4options --any-opt		-j DROP

	#                             IPhdrlen         TCPhdrlen
	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=20" -m length --length 40	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=24" -m length --length 44	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=28" -m length --length 48	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=32" -m length --length 52	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=36" -m length --length 56	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=40" -m length --length 60	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=44" -m length --length 64	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=48" -m length --length 68	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=52" -m length --length 72	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=56" -m length --length 76	-j RETURN

	iptables -A $Me -m u32 --u32 "0>>22&0x3C=20 && 0>>22&0x3C@12>>26&0x3C=60" -m length --length 80	-j RETURN





	iptables -A $Me -p udp --sport 0:21			-j DROP
	iptables -A $Me -p udp --dport 0:21			-j DROP
	iptables -A $Me -p udp --sport 514			-j DROP

	iptables -A INPUT -i \! lo -p tcp --tcp-flags SYN SYN	-j $Me
	iptables -A FORWARD -p tcp --tcp-flags SYN SYN		-j $Me
	iptables -A OUTPUT -p tcp --tcp-flags SYN SYN		-j $Me
	;;
stop)
	echo "Stopping $Me"
	iptables -D INPUT -i \! lo -p tcp --tcp-flags SYN SYN	-j $Me
	iptables -D FORWARD -p tcp --tcp-flags SYN SYN		-j $Me
	iptables -D OUTPUT -p tcp --tcp-flags SYN SYN		-j $Me

#Remove here




	iptables -F $Me

	iptables -X $Me
	;;
esac