#!/bin/bash

#FIXME - sort by flag frequency

Me='tcpchk'
MyVersion='0.1.1'


Action="$1"
case "$Action" in
start)
	echo "Starting $Me"
	iptables -N $Me

	iptables -A $Me -p tcp --sport 0:19			-j DROP
	iptables -A $Me -p tcp --dport 0:19			-j DROP

#UAPRSF
#000000	NULL block (confirmed)
	iptables -A $Me -p tcp --tcp-flags ALL NONE		-j DROP
#111111	XMAS block
	iptables -A $Me -p tcp --tcp-flags ALL ALL		-j DROP
#????11	SF block (confirmed)
	iptables -A $Me -p tcp --tcp-flags SYN,FIN SYN,FIN	-j DROP
#???11?	SR block (confirmed)
	iptables -A $Me -p tcp --tcp-flags SYN,RST SYN,RST	-j DROP
#???1?1	RF block (confirmed)
	iptables -A $Me -p tcp --tcp-flags RST,FIN RST,FIN	-j DROP
#1???1?	SU block (no payload on syn, cannot have urg data)
	iptables -A $Me -p tcp --tcp-flags SYN,URG SYN,URG	-j DROP
#001010	SP block (no payload on syn)
	iptables -A $Me -p tcp --tcp-flags ALL SYN,PSH		-j DROP
#011010	SAP block (no payload on syn/ack)
	iptables -A $Me -p tcp --tcp-flags ALL SYN,ACK,PSH	-j DROP
#?0???1	F, no A block
	iptables -A $Me -p tcp --tcp-flags ACK,FIN FIN		-j DROP
#??0??1	P, no A block
	iptables -A $Me -p tcp --tcp-flags ACK,PSH PSH		-j DROP
#0????1	U, no A block
	iptables -A $Me -p tcp --tcp-flags ACK,URG URG		-j DROP
#RST only?  I get them from the razor servers.  strange.
	iptables -A $Me -p tcp --tcp-flags ALL RST		-j RETURN
#?0??0?	neither S nor A block
	iptables -A $Me -p tcp --tcp-flags SYN,ACK NONE		-j LOG --log-prefix "FB-$Me "
	iptables -A $Me -p tcp --tcp-flags SYN,ACK NONE		-j DROP

#We put in no rules for these as they're legal for flags, but might get
#chucked later for a different reason (invalid source/dest address, etc.)
#011000	PA legal
	iptables -A $Me -p tcp --tcp-flags ALL PSH,ACK		-j RETURN
#010000	A legal
	iptables -A $Me -p tcp --tcp-flags ALL ACK		-j RETURN
#000010	S legal
	iptables -A $Me -p tcp --tcp-flags ALL SYN		-j RETURN
#010010	SA legal
	iptables -A $Me -p tcp --tcp-flags ALL SYN,ACK		-j RETURN
#010001	FA legal
	iptables -A $Me -p tcp --tcp-flags ALL FIN,ACK		-j RETURN
#010100	RA legal
	iptables -A $Me -p tcp --tcp-flags ALL RST,ACK		-j RETURN
#111000	APU (legal, ctrl-c on telnet)
	iptables -A $Me -p tcp --tcp-flags ALL ACK,PSH,RST	-j RETURN
#011001	FPA RETURN (FIN implies a push, but we're seeing this on legit traffic)
	iptables -A $Me -p tcp --tcp-flags ALL FIN,PSH,ACK	-j RETURN

#011100	RAP block?
	iptables -A $Me -p tcp --tcp-flags ALL RST,ACK,PSH	#-j DROP
#110100	RAU block?
	iptables -A $Me -p tcp --tcp-flags ALL RST,ACK,URG	#-j DROP
#111100	RAPU block?
	iptables -A $Me -p tcp --tcp-flags ALL RST,ACK,PSH,URG	#-j DROP
#111001	FPAU block? (FIN implies a push)
	iptables -A $Me -p tcp --tcp-flags ALL FIN,PSH,ACK,URG	#-j DROP
#110000	AU? (APU more likely)
	iptables -A $Me -p tcp --tcp-flags ALL ACK,URG		#-j DROP
#110001	AUF?
	iptables -A $Me -p tcp --tcp-flags ALL ACK,URG,FIN	#-j DROP


	iptables -A INPUT -i \! lo -p tcp			-j $Me
	iptables -A FORWARD -p tcp				-j $Me
	iptables -A OUTPUT -p tcp				-j $Me
	;;
stop)
	echo "Stopping $Me"
	iptables -D INPUT -i \! lo -p tcp			-j $Me
	iptables -D FORWARD -p tcp				-j $Me
	iptables -D OUTPUT -p tcp				-j $Me

#FIXME - bring last 7 delete rules down
	iptables -D $Me -p tcp --tcp-flags ALL NONE		-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL ALL		-j DROP
	iptables -D $Me -p tcp --tcp-flags SYN,FIN SYN,FIN	-j DROP
	iptables -D $Me -p tcp --tcp-flags SYN,RST SYN,RST	-j DROP
	iptables -D $Me -p tcp --tcp-flags RST,FIN RST,FIN	-j DROP
	iptables -D $Me -p tcp --tcp-flags SYN,URG SYN,URG	-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL SYN,PSH		-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL SYN,ACK,PSH	-j DROP
	iptables -D $Me -p tcp --tcp-flags ACK,FIN FIN		-j DROP
	iptables -D $Me -p tcp --tcp-flags ACK,PSH PSH		-j DROP
	iptables -D $Me -p tcp --tcp-flags ACK,URG URG		-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL RST		-j RETURN
	iptables -D $Me -p tcp --tcp-flags SYN,ACK NONE		-j LOG --log-prefix "FB-$Me "
	iptables -D $Me -p tcp --tcp-flags SYN,ACK NONE		-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL SYN		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL SYN,ACK		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL ACK		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL FIN,ACK		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL PSH,ACK		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL RST,ACK		-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL ACK,PSH,RST	-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL FIN,PSH,ACK	-j RETURN
	iptables -D $Me -p tcp --tcp-flags ALL RST,ACK,PSH	#-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL RST,ACK,URG	#-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL RST,ACK,PSH,URG	#-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL FIN,PSH,ACK,URG	#-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL ACK,URG		#-j DROP
	iptables -D $Me -p tcp --tcp-flags ALL ACK,URG,FIN	#-j DROP

	iptables -D $Me -p tcp --sport 0:19			-j DROP
	iptables -D $Me -p tcp --dport 0:19			-j DROP

	iptables -F $Me

	iptables -X $Me
	;;
esac