From 346beb7ced839f4719f2f1963ec5f0cece027af3 Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Sun, 2 Feb 2025 16:55:01 +0100
Subject: reject and drop forwarding of packages

---
 roles/linux-ns/files/iptables/ip6tables.save | 8 +++++++-
 roles/linux-ns/files/iptables/iptables.save  | 4 +++-
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'roles/linux-ns')

diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
index 4c3ea11..d6db11f 100644
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ b/roles/linux-ns/files/iptables/ip6tables.save
@@ -1,6 +1,6 @@
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -27,6 +27,12 @@
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
 
+# post/prerouting, must allow forward as well
+-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
+-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
+
+-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
+
 COMMIT
 
 *mangle
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save
index 7a4504f..4f72cc5 100644
--- a/roles/linux-ns/files/iptables/iptables.save
+++ b/roles/linux-ns/files/iptables/iptables.save
@@ -1,6 +1,6 @@
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -19,4 +19,6 @@
 -A INPUT -p udp --dport 53 -j ACCEPT
 -A INPUT -p tcp --dport 53 -j ACCEPT
 
+-A FORWARD -j REJECT --reject-with icmp-port-unreachable
+
 COMMIT
-- 
cgit v1.2.3