#!/bin/bash

## damn this is cool.  Ripped from alan's code.

$IPT -N THREAT
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL ALL \
	-m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "XMAS packet/scan "
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL ALL -j DROP 
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL NONE \
	-m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "NULL packet/scan " 
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A THREAT -m tcp -m state -p tcp --tcp-flags ALL ACK \
	-m limit --limit 3/minute --limit-burst 3 --state NEW -j LOG --log-prefix "ACK packet/scan " 
$IPT -A THREAT -m tcp -m state -p tcp --tcp-flags ALL ACK --state NEW -j DROP
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL FIN \
	-m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FIN packet/scan " 
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL FIN -j DROP

$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL SYN,PSH,FIN,URG \
                                -j REJECT --reject-with tcp-reset
$IPT -A THREAT -m tcp -p tcp --tcp-flags ALL PSH,FIN,URG \
                                -j REJECT --reject-with tcp-reset

$IPT -A THREAT -j RETURN

$IPT -A INPUT -j THREAT
$IPT -A FORWARD -j THREAT