#!/bin/sh
# Start/stop/restart my some network kernel parameters.
#

start() {

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $i
done

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $i
done

# Don't send Redirect Messages
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 0 > $i
done

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $i
done

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $i
done

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

}

stop() {

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 1 > $i
done

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 0 > $i
done

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

echo 1 > /proc/sys/net/ipv4/tcp_ecn

}


case "$1" in
'start')
	start
	;;
'stop')
	stop
	;;
'restart')
	stop
	start
	;;
*)
	echo "usage $0 start|stop|restart"
esac