}
chain input {
- type filter hook input priority 0;
+ type filter hook input priority 0
+ policy drop
ct state established,related accept
ct state invalid drop
} ip6 hoplimit 255 accept
# Allow multicast listener discovery on link-local addresses.
- ip6 nexthdr ipv6-icmp icmpv6 type {
+ # RFC2710 specifies that a Hop-by-Hop Options header is used.
+ hbh nexthdr ipv6-icmp icmpv6 type {
mld-listener-query,
mld-listener-report,
mld-listener-reduction
}
chain forward {
- type filter hook forward priority 0;
+ type filter hook forward priority 0
+ policy drop
+
limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
counter reject
}
chain output {
- type filter hook output priority 0;
+ type filter hook output priority 0
+ policy drop
+
counter accept
}
}