#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#==== Brick specific help ====
#
#	The syncapture module sends all packets with SYN set up to userspace to
#be stored in a libpcap file (or wherever ulogd decides to send it). 
#This will capture SYN and SYN/ACK packets that tools like p0f and
#ettercap like to do their OS fingerprinting, as well as providing the
#firewall administrator with essentially enough packet logging to be able
#to reconstruct all TCP connection attempts (both successful and not). 
#Note that the third packet of a three way handshake is not saved to the
#pcap file.
#	In addition to the normal SYN and SYN/ACK packets, this will
#capture _any_ packets with the SYN bit set, including SYN/FIN, SYN/RST,
#etc.
#	If Ulogd is not running or not available, you will probably want
#to change the default action to LOG (but remember that the rate limiting
#used on LOG may lose some events).
#	This module carries a small risk of filling up your log drive if
#you come under attack.  With that warning, it should be safe to use
#otherwise.

/usr/bin/sudo /sbin/iptables -N syncapture
/usr/bin/sudo /sbin/iptables -A syncapture -j ULOG
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -p tcp --tcp-flags SYN SYN -j syncapture
/usr/bin/sudo /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN SYN -j syncapture
/usr/bin/sudo /sbin/iptables -A OUTPUT -p tcp --tcp-flags SYN SYN -j syncapture