1 files changed, 7 insertions, 1 deletions

diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
index 4c3ea11..d6db11f 100644
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ b/roles/linux-ns/files/iptables/ip6tables.save
@@ -1,6 +1,6 @@
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -27,6 +27,12 @@
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
 
+# post/prerouting, must allow forward as well
+-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
+-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
+
+-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
+
 COMMIT
 
 *mangle