#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== recent state
#==== Brick specific help ====
#	The catchmapreply module identifies people trying to map our network.  It
#looks for icmp errors such as proto, host, network, or port
#unreachables, as well as time exceeded in transit errors, and remembers
#the _destination_ ip address of those packets - the IP that sent the
#probe packet.
#	Because of the potential for a spoofed source address in a probe
#packet, this is a potentially dangerous module.

/usr/bin/sudo /sbin/iptables -N catchmapreply
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type protocol-unreachable -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type network-unreachable -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type TOS-host-unreachable -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type TOS-network-unreachable -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type host-prohibited -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type network-prohibited -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type communication-prohibited -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type host-unknown -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type network-unknown -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type time-exceeded -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type source-route-failed -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A catchmapreply -p icmp --icmp-type parameter-problem -m state --state RELATED -m recent --name mapper --rdest --set -j DROP
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -j catchmapreply
/usr/bin/sudo /sbin/iptables -A FORWARD -j catchmapreply
/usr/bin/sudo /sbin/iptables -A OUTPUT -o ! lo -j catchmapreply