From eee064eb93d1ee3f1db56a9634015ba23e3b0e92 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 5 Feb 2015 20:33:17 -0500
Subject: [PATCH] tighten up kernel tcp/ip settings

---
 rootdir/init.rc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index b98443a..f30baf4 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -124,6 +124,21 @@ on init
     write /proc/sys/net/ipv4/conf/all/accept_redirects 0
     write /proc/sys/net/ipv6/conf/all/accept_redirects 0
 
+    # IPv4 hardening
+    #
+    # reverse path filtering is done with netfilter for consistency with IPv6
+    write /proc/sys/net/ipv4/tcp_rfc1337 1
+    write /proc/sys/net/ipv4/conf/all/accept_source_route 0
+    write /proc/sys/net/ipv4/conf/default/accept_source_route 0
+    write /proc/sys/net/ipv4/conf/default/accept_redirects 0
+    write /proc/sys/net/ipv4/conf/all/send_redirects 0
+    write /proc/sys/net/ipv4/conf/default/send_redirects 0
+
+    # IPv6 hardening
+    write /proc/sys/net/ipv6/conf/default/accept_redirects 0
+    write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+    write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+
     # Create cgroup mount points for process groups
     mkdir /dev/cpuctl
     mount cgroup none /dev/cpuctl cpu