diff options
| author | uvok cheetah | 2025-02-02 16:55:01 +0100 | 
|---|---|---|
| committer | uvok cheetah | 2025-02-02 16:55:01 +0100 | 
| commit | 346beb7ced839f4719f2f1963ec5f0cece027af3 (patch) | |
| tree | ab1bfdcbb73c7612a5466045abeae31945f72a0e /roles/linux-ns/files/iptables | |
| parent | 526797b41c8dfffc7e74a951c17ef96734980e7a (diff) | |
reject and drop forwarding of packages
Diffstat (limited to 'roles/linux-ns/files/iptables')
| -rw-r--r-- | roles/linux-ns/files/iptables/ip6tables.save | 8 | ||||
| -rw-r--r-- | roles/linux-ns/files/iptables/iptables.save | 4 | 
2 files changed, 10 insertions, 2 deletions
| diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save index 4c3ea11..d6db11f 100644 --- a/roles/linux-ns/files/iptables/ip6tables.save +++ b/roles/linux-ns/files/iptables/ip6tables.save @@ -1,6 +1,6 @@  *filter  :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0]  :OUTPUT ACCEPT [0:0]  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -27,6 +27,12 @@  -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT  -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT +# post/prerouting, must allow forward as well +-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT +-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT + +-A FORWARD -j REJECT --reject-with icmp6-port-unreachable +  COMMIT  *mangle diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save index 7a4504f..4f72cc5 100644 --- a/roles/linux-ns/files/iptables/iptables.save +++ b/roles/linux-ns/files/iptables/iptables.save @@ -1,6 +1,6 @@  *filter  :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0]  :OUTPUT ACCEPT [0:0]  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -19,4 +19,6 @@  -A INPUT -p udp --dport 53 -j ACCEPT  -A INPUT -p tcp --dport 53 -j ACCEPT +-A FORWARD -j REJECT --reject-with icmp-port-unreachable +  COMMIT | 
