#!/bin/bash
#Copyright 2004 William Stearns <wstearns@pobox.com>
#Released under the GPL
#Automatically generated by Modwall, http://www.stearns.org/modwall/

#Note that this module depends on system specific configuration
#so your output will differ.

#==== Iptables modules required ==== state
#==== Brick specific help ====
#	The pasvmap module doesn\'t block any traffic, but simply passively
#logs any tcp servers to syslog.  It does this by logging established
#SYN/ACK packets; these must have come from a real server at the logged
#source IP address and source port.
#	Any "IP Port" pairs listed in /var/lib/modwall//tcpservers are returned
#before hitting the log rule; place any known servers here.
#	The only reason why you might want to avoid this module is
#because it may log heavily.  Otherwise it should be univerally safe.

/usr/bin/sudo /sbin/iptables -N pasvmap
/usr/bin/sudo /sbin/iptables -A pasvmap -m limit --limit 10/second --limit-burst 15 -j LOG --log-prefix MW-livetcpserver_
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -m state --state established -j pasvmap
/usr/bin/sudo /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -m state --state established -j pasvmap
/usr/bin/sudo /sbin/iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -m state --state established -j pasvmap