#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== length u32
#==== Brick specific help ====
#	The plength module takes a closer look at the lengths of certain
#types of packets.  Certain types of packets should be _at least_ N bytes
#long.  For example, since normal fragmentation produces non-terminal
#fragments that are at least the MTU large, we should never see a
#non-terminal packet smaller than 68 bytes (the rfc791 minimum MTU) or
#even less than 512 bytes (the Internet practical minimum MTU).  See the
#notes in this file for more details about the packet types and reasons
#for their minimums lengths.
#	We have put enough thought into this module that it _should_ be
#safe to use, but it could really use a few days on an unprotected ISP
#router to be sure I haven\'t missed some subtle issue.  It might be
#worth running this with an action of NONE for a few hours before putting
#it into production use.

/usr/bin/sudo /sbin/iptables -N plength
/usr/bin/sudo /sbin/iptables -A plength -p tcp --tcp-flags SYN SYN -m u32 --u32 4&0x3FFF=1:0x3FFF
/usr/bin/sudo /sbin/iptables -A plength -m u32 --u32 3&0x20>>5=1 -m length --length 0:67
/usr/bin/sudo /sbin/iptables -A plength -m u32 --u32 3&0x20>>5=1 -m length --length 68:511
/usr/bin/sudo /sbin/iptables -A plength -m u32 --u32 3&0x20>>5=0 && 4&0x1FFF=1:65535 -m length --length 0:20
/usr/bin/sudo /sbin/iptables -A plength -m u32 --u32 4&0x3FFF=1:65535 -j RETURN
/usr/bin/sudo /sbin/iptables -A plength -p udp -m length --length 0:27
/usr/bin/sudo /sbin/iptables -A plength -p tcp -m length --length 0:39
/usr/bin/sudo /sbin/iptables -A plength -p icmp -m length --length 0:27
/usr/bin/sudo /sbin/iptables -A plength -p 30 -m length --length 0:31
/usr/bin/sudo /sbin/iptables -A plength -p 47 -m length --length 0:39
/usr/bin/sudo /sbin/iptables -A plength -p 50 -m length --length 0:49
/usr/bin/sudo /sbin/iptables -A plength -p 51 -m length --length 0:35
/usr/bin/sudo /sbin/iptables -A plength -m length --length 0:19
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -m length --length 0:512 -j plength
/usr/bin/sudo /sbin/iptables -A FORWARD -m length --length 0:512 -j plength
/usr/bin/sudo /sbin/iptables -A OUTPUT -m length --length 0:512 -j plength