#!/bin/bash

# Disable some ICMP settings that can be insecure
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ratelimit=1000
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1

# If this is a router, enable; otherwise, it's not needed
sysctl -w net.ipv4.ip_forward=1

# Prevent SYN flood
sysctl -w net.ipv4.tcp_syncookies=1

# Don't accept TCP connections unless we were here for their establishment
if [ -e /proc/sys/net/netfilter/ ]; then
	sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
else
	sysctl -w net.ipv4.ip_conntrack_tcp_loose=0
fi