#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Iptables modules required ==== recent
#==== Brick specific help ====
#	The punishmapper module punishes people that have already violated one of
#our security policies (they\'ve _already_ sent in syn/fin packets,
#portscans, probes, etc.).  Their addresses are already in a kernel table
#of offending source addresses, courtesy of the ipt_recent match module.
#	This table is called after we\'ve checked for nasty traffic, but
#before the normal allow rules.  We now treat any other packets from that
#host as hostile and log and drop them.
#	This is by no means a sure thing; we\'re implementing an
#Intrusion Prevention system, with all its caveats and issues.  You may
#wish to tread carefully with this one.

/usr/bin/sudo /sbin/iptables -N punishmapper
/usr/bin/sudo /sbin/iptables -A punishmapper -m recent --name mapper --rcheck --seconds 60 -m limit --limit 10/second --limit-burst 15 -j LOG --log-prefix punishmapper_
/usr/bin/sudo /sbin/iptables -A punishmapper -m recent --name mapper --rcheck --seconds 60 -j DROP
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -j punishmapper
/usr/bin/sudo /sbin/iptables -A FORWARD -j punishmapper
/usr/bin/sudo /sbin/iptables -A OUTPUT -o ! lo -j punishmapper