diff --git a/bin/hardening/14.1_security_related_NAT_slipstreaming.sh b/bin/hardening/14.1_security_related_NAT_slipstreaming.sh
new file mode 100755
index 0000000..91b9e4b
--- /dev/null
+++ b/bin/hardening/14.1_security_related_NAT_slipstreaming.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 9/10 Hardening
+#
+
+#
+# 14.1  Defense for NAT Slipstreaming (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+
+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
+BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
+SYSCTL_PARAM='net.netfilter.nf_conntrack_helper'
+SYSCTL_EXP_RESULT=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do	
+		check_blacklist_module_set $BLACKLIST_CONF
+    	if [ $FNRET = 0 ]; then
+			ok "$BLACKLIST_CONF was set to blacklist"
+		else
+			crit "$BLACKLIST_CONF is not set to blacklist"
+		fi
+	done
+	if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+    		has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    		if [ $FNRET != 0 ]; then
+			crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+    		elif [ $FNRET = 255 ]; then
+        		warn "$SYSCTL_PARAM does not exist -- Typo?"
+    		else
+        		ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+		fi
+	else
+		crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
+    	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do	
+		check_blacklist_module_set $BLACKLIST_CONF
+    	if [ $FNRET = 0 ]; then
+			ok "$BLACKLIST_CONF was set to blacklist"
+		else
+			warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+			if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+				add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
+			else
+				touch $HARBIAN_SEC_CONF_FILE
+				add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
+			fi
+		fi
+	done
+	if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+    		has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    		if [ $FNRET != 0 ]; then
+			warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+			set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+			sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
+    		elif [ $FNRET = 255 ]; then
+        		warn "$SYSCTL_PARAM does not exist -- Typo?"
+    		else
+        		ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+    		fi
+	else
+		echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
+	fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+cat <<EOF
+status=disabled
+# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
+ISEXCEPTION=0
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/lib/utils.sh b/lib/utils.sh
index 0d64371..c592d4d 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -1212,3 +1212,19 @@ check_sshd_access_limit ()
 	fi
 }
 
+# Check blacklist module set of /etc/modprobe.d/* 
+# If set, return 0; else return 1
+# Example: $1='nf_nat_sip'
+check_blacklist_module_set ()
+{
+	MODPROBE_CONF_FILE_PATTERN='/etc/modprobe.d/*'
+	COUNT=$(grep -w $1 -r $MODPROBE_CONF_FILE_PATTERN | grep "^blacklist" | wc -l)
+	if [ $COUNT -ge 1 ]; then
+		debug "$1 has set in $MODPROBE_CONF_FILE_PATTERN"
+		FNRET=0
+	else
+		debug "$1 is not set in $MODPROBE_CONF_FILE_PATTERN"
+		FNRET=1
+	fi
+}
+