From b029bd493f455c1d1a9de385f7a6f33235ac5637 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Thu, 2 Oct 2014 10:02:11 +0100
Subject: [PATCH] Drop bogons

---
 install-freedombone.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/install-freedombone.sh b/install-freedombone.sh
index 968699df..e4af6975 100755
--- a/install-freedombone.sh
+++ b/install-freedombone.sh
@@ -882,6 +882,21 @@ function configure_firewall {
   ip6tables -P INPUT DROP
   iptables -A INPUT -i lo -j ACCEPT
   iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+  # Make sure incoming tcp connections are SYN packets
+  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+  # Drop packets with incoming fragments
+  iptables -A INPUT -f -j DROP
+
+  # Drop bogons
+  iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+  iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+  iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+  # Incoming malformed NULL packets:
+  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
   echo 'configure_firewall' >> $COMPLETION_FILE
 }