#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== state
#==== Brick specific help ====
#	The tcpchk module checks characteristics of tcp traffic.  It
#handles low port (ports 0-19) and illegal tcp flag combinations.  The
#flag rules tend to be conservative, so it should be safe to use these in
#any environment (unless you know you are using small services).
#

/usr/bin/sudo /sbin/iptables -N tcpchk
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --sport 0:19 -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --dport 0:19 -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL NONE -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ALL -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,PSH -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,FIN FIN -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,PSH PSH -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,URG URG -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,ACK NONE -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state RELATED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,URG,FIN
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -p tcp -j tcpchk
/usr/bin/sudo /sbin/iptables -A FORWARD -p tcp -j tcpchk
/usr/bin/sudo /sbin/iptables -A OUTPUT -p tcp -j tcpchk