#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== addrtype
#==== Brick specific help ====
#	The outputdstaddrtype module checks the destination address for valid and
#invalid address types, as maintained by the kernel.  For example, should
#we really be sending packets to an address the kernel knows is
#administratively prohibited?
#	This module is somewhat experimental, but the checks should be
#conservative enough to safely use.

/usr/bin/sudo /sbin/iptables -N outputdstaddrtype
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type LOCAL -j DROP
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type BLACKHOLE -j DROP
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type UNREACHABLE -j DROP
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type PROHIBIT -j DROP
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type UNSPEC -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type UNICAST -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type BROADCAST -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type ANYCAST -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type MULTICAST -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type THROW -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type NAT -j RETURN
/usr/bin/sudo /sbin/iptables -A outputdstaddrtype -m addrtype --dst-type XRESOLVE -j RETURN
/usr/bin/sudo /sbin/iptables -A OUTPUT -o ! lo -j outputdstaddrtype