#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== ipv4options
#==== Brick specific help ====
#	The ipopts module checks for any IP options and discards/logs those
#packets.  The Strict and Loose source route IP options are generally
#considered malicious as they can circumvent Internet routing tables.  IP
#options are generally not used legitimately, and it is a common practice
#to block them at the firewall.
#	IP options (generally malicious) are distinct from TCP options,
#which are generally _not_ malicious and are in common use.
#	These rules should be safe to use on any network.

/usr/bin/sudo /sbin/iptables -N ipopts
/usr/bin/sudo /sbin/iptables -A ipopts -m ipv4options --ssrr -j DROP
/usr/bin/sudo /sbin/iptables -A ipopts -m ipv4options --lsrr -j DROP
/usr/bin/sudo /sbin/iptables -A ipopts -m ipv4options --rr -j DROP
/usr/bin/sudo /sbin/iptables -A ipopts -m ipv4options --any-opt -j DROP
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -m ipv4options --any-opt -j ipopts
/usr/bin/sudo /sbin/iptables -A FORWARD -m ipv4options --any-opt -j ipopts
/usr/bin/sudo /sbin/iptables -A OUTPUT -m ipv4options --any-opt -j ipopts