Add DROP rule for INVALID packets.

author Robert Greenwalt <rgreenwalt@google.com>

Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)

committer Robert Greenwalt <rgreenwalt@google.com>

Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)
author Robert Greenwalt <rgreenwalt@google.com>
Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)
committer Robert Greenwalt <rgreenwalt@google.com>
Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)
diff --git a/NatController.cpp b/NatController.cpp

index 8ec5d64..beba4ce 100644 (file)
--- a/NatController.cpp
+++ b/NatController.cpp
@@ -190,11 +190,29 @@ int NatController::doNatCommands(const char *intIface, const char *extIface, boo
          return -1;
      }
  
+    snprintf(cmd, sizeof(cmd),
+            "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+            (add ? "A" : "D"),
+            intIface, extIface);
+    if (runIptablesCmd(cmd)) {
+        snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
+                (!add ? "A" : "D"),
+                extIface, intIface);
+        return -1;
+    }
+
      snprintf(cmd, sizeof(cmd), "-%s FORWARD -i %s -o %s -j ACCEPT", (add ? "A" : "D"),
              intIface, extIface);
      if (runIptablesCmd(cmd)) {
          // unwind what's been done, but don't care about success - what more could we do?
          snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+                (!add ? "A" : "D"),
+                intIface, extIface);
+        runIptablesCmd(cmd);
+
+        snprintf(cmd, sizeof(cmd),
                   "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
                   (!add ? "A" : "D"),
                   extIface, intIface);
author	Robert Greenwalt <rgreenwalt@google.com>
	Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)
committer	Robert Greenwalt <rgreenwalt@google.com>
	Tue, 2 Aug 2011 20:00:11 +0000 (13:00 -0700)