Modify iptables policy for policing all protocols, not only TCP

A new rule passing packets for nether inspection is replacing the old one
that worked only for TCP.
The new rule makes a policy check for a first packet in each network flow, as
seen by the conntrack module. This is done by matching all packets that have
ctstate=NEW (the packet has started a new connection) but not checking those
that have ctstatus=CONFIRMED (connection is confirmed: originating packet has
left box). This rule causes to nether check for each first packet on the flow,
the minimum required for determining whether the connection should be allowed.

For TCP connections, this should work exactly as the old rule. For connection-
less protocols it will check the first packet of the network flow.

Change-Id: Iccbe8febd1568a615d8169123d7f45b4e998a47d

diff --git a/conf/nether.rules b/conf/nether.rules
index 71b6464..b49d361 100644 (file)
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -25,7 +25,7 @@
 :POSTROUTING ACCEPT [824147:75308906]
 -A INPUT -j SECMARK --selctx System
 -A OUTPUT -o lo -j ACCEPT
--A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
 COMMIT
 *filter
 :INPUT ACCEPT [927054:2081201095]