From 1e690360c57f6a442252b654f237bfed84aaa778 Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Wed, 18 Jun 2025 19:27:05 +0200
Subject: Update iptables rules

---
 roles/linux_ns/files/iptables/ip6tables.save | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/linux_ns/files/iptables/ip6tables.save b/roles/linux_ns/files/iptables/ip6tables.save
index 036e5a5..ca67633 100644
--- a/roles/linux_ns/files/iptables/ip6tables.save
+++ b/roles/linux_ns/files/iptables/ip6tables.save
@@ -24,7 +24,17 @@
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+# don't match source alone - will prevent outer system from doing stuff.
+-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT
+# replies!
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
+# post/prerouting, must allow forward
+# formerly for HTTP/S
+#-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
+#-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
+
+#-A FORWARD -j LOG --log-prefix "[dn42] forward"
 -A FORWARD -j REJECT --reject-with icmp6-port-unreachable
 
 COMMIT
-- 
cgit v1.2.3