}
chain input {
- type filter hook input priority 0;
-
- ct state established,related accept
- ct state invalid drop
- ct state new jump in-new
+ type filter hook input priority 0
+ policy drop
iif lo accept
packet-too-big
} accept
- # Allow auto configuration support.
+ # Allow IPv6 Neighbor Discovery (RFC4861).
ip6 nexthdr ipv6-icmp icmpv6 type {
nd-router-advert,
nd-router-solicit,
# Allow IGMPv3 queries.
ip protocol igmp ip daddr 224.0.0.1 accept
+ # Stateful filtering for anything else.
+ ct state established,related accept
+ ct state invalid drop
+ ct state new jump in-new
+
# Silently drop other incoming broadcast and multicast traffic.
meta pkttype {broadcast, multicast} drop
}
chain forward {
- type filter hook forward priority 0;
+ type filter hook forward priority 0
+ policy drop
+
limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
counter reject
}
chain output {
- type filter hook output priority 0;
+ type filter hook output priority 0
+ policy drop
+
counter accept
}
}