summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/linux-ns/files/iptables/ip6tables.save8
-rw-r--r--roles/linux-ns/files/iptables/iptables.save4
2 files changed, 10 insertions, 2 deletions
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
index 4c3ea11..d6db11f 100644
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ b/roles/linux-ns/files/iptables/ip6tables.save
@@ -1,6 +1,6 @@
*filter
:INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -27,6 +27,12 @@
-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+# post/prerouting, must allow forward as well
+-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
+-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
+
+-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
+
COMMIT
*mangle
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save
index 7a4504f..4f72cc5 100644
--- a/roles/linux-ns/files/iptables/iptables.save
+++ b/roles/linux-ns/files/iptables/iptables.save
@@ -1,6 +1,6 @@
*filter
:INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -19,4 +19,6 @@
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
+-A FORWARD -j REJECT --reject-with icmp-port-unreachable
+
COMMIT
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-22 21:23:59 +0000