#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Brick specific help ====
#	The autoreject module sets up a chain that can be called from other
#firewall rules.  It detects what kind of traffic is going by and sets up
#the appropriate reject for that traffic, as opposed to just calling -j
#REJECT which sends a port unreachable, even if the traffic is not udp.
#	It specifically sends _no_ reject message in response to the
#following: tcp rst packets, icmp destination unreachables, icmp time
#exceededs, and icmp parameter problems (to avoid rfc-violating loops).

/usr/bin/sudo /sbin/iptables -N autoreject
/usr/bin/sudo /sbin/iptables -A autoreject -p tcp --tcp-flags RST RST -j DROP
/usr/bin/sudo /sbin/iptables -A autoreject -p tcp -j REJECT --reject-with tcp-reset
/usr/bin/sudo /sbin/iptables -A autoreject -p udp -j REJECT --reject-with port-unreach
/usr/bin/sudo /sbin/iptables -A autoreject -p icmp --icmp-type destination-unreachable -j DROP
/usr/bin/sudo /sbin/iptables -A autoreject -p icmp --icmp-type time-exceeded -j DROP
/usr/bin/sudo /sbin/iptables -A autoreject -p icmp --icmp-type parameter-problem -j DROP
/usr/bin/sudo /sbin/iptables -A autoreject -p icmp -j REJECT --reject-with host-unreach
/usr/bin/sudo /sbin/iptables -A autoreject -j REJECT --reject-with proto-unreach