Drop invalid packets

src/freedombone-utils-firewall

@@ -136,8 +136,15 @@ function configure_firewall {
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 
+    # Drop invalid packets
+    iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
+
     # Make sure incoming tcp connections are SYN packets
     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+    iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
+
+    # Drop SYN packets with suspicious MSS value
+    iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
 
     # Drop packets with incoming fragments
     iptables -A INPUT -f -j DROP