--- /dev/null
+# nether iptables rules
+*nat
+:PREROUTING ACCEPT [214977:18048203]
+:INPUT ACCEPT [24506:3910785]
+:OUTPUT ACCEPT [46836:3016993]
+:POSTROUTING ACCEPT [45527:2930737]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [1008811:2134498122]
+:INPUT ACCEPT [948545:2129919738]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [816152:74580343]
+:POSTROUTING ACCEPT [824147:75308906]
+-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p udp -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p icmp -j NFQUEUE --queue-num 0 --queue-bypass
+COMMIT
+*filter
+:INPUT ACCEPT [927054:2081201095]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [805408:74228055]
+:NETHER-ALLOWLOG - [0:0]
+:NETHER-DENY - [0:0]
+-A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
+-A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG
+-A NETHER-ALLOWLOG -j AUDIT --type accept
+-A NETHER-DENY -j AUDIT --type reject
+-A NETHER-DENY -j REJECT --reject-with icmp-port-unreachable
+COMMIT
--- /dev/null
+#!/bin/bash
+DENY_CHAIN="NETHER-DENY"
+ALLOWLOG_CHAIN="NETHER-ALLOWLOG"
+TEST_HOST="198.145.20.7"
+TEST_PORT=443
+TEST_PROTO="tcp"
+TEST_QUEUE=0
+AUDITCTL=auditctl
+DENY_MARK="0x3"
+ALLOWLOG_MARK="0x4"
+
+function runcmd {
+ echo -ne "\t>> $@\n"
+ $@
+}
+
+function clean {
+ echo "Cleanup"
+ echo
+ iptables -t mangle -D OUTPUT -m state --state NEW -p $TEST_PROTO -d $TEST_HOST --dport $TEST_PORT -j NFQUEUE --queue-num 0 --queue-bypass 2> /dev/null
+ iptables -D OUTPUT -m mark --mark $DENY_MARK -j $DENY_CHAIN 2> /dev/null
+ iptables -D OUTPUT -m mark --mark $ALLOWLOG_MARK -j $ALLOWLOG_CHAIN 2> /dev/null
+ iptables -F $DENY_CHAIN 2> /dev/null
+ iptables -F $ALLOWLOG_CHAIN 2> /dev/null
+ iptables -X $DENY_CHAIN 2> /dev/null
+ iptables -X $ALLOWLOG_CHAIN 2> /dev/null
+ echo
+}
+
+function create {
+ echo "Creating chain"
+ echo
+ runcmd iptables -N $DENY_CHAIN
+ runcmd iptables -N $ALLOWLOG_CHAIN
+ runcmd iptables -A $DENY_CHAIN -j AUDIT --type REJECT
+ runcmd iptables -A $DENY_CHAIN -j REJECT
+ runcmd iptables -A $ALLOWLOG_CHAIN -j AUDIT --type ACCEPT
+ echo
+}
+
+function create_rules {
+ echo "Writing rules to output chain $OUTPUT_CHAIN"
+ echo
+ runcmd iptables -t mangle -A OUTPUT -m state --state NEW -p $TEST_PROTO -d $TEST_HOST --dport $TEST_PORT -j NFQUEUE --queue-num 0 --queue-bypass
+ runcmd iptables -A OUTPUT -m mark --mark $DENY_MARK -j $DENY_CHAIN
+ runcmd iptables -A OUTPUT -m mark --mark $ALLOWLOG_MARK -j $ALLOWLOG_CHAIN
+ echo
+}
+
+function enable_audit {
+ if type $AUDITCTL; then
+ echo -n "Enable audit: "
+ runcmd $AUDITCTL -e 1 >/dev/null
+ if [ $? == 0 ]; then
+ echo "OK"
+ else
+ echo "Failed"
+ fi
+ else
+ echo "$AUDITCTL does not exist, can't enable audit"
+ fi
+ echo
+}
+
+clean
+create
+create_rules
+enable_audit