*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -i tinc_dn42 -j ACCEPT

-A INPUT -p icmpv6 -j ACCEPT

# traceroute
-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
# DNS
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
# BGP
-A INPUT -p tcp --dport 179 -j ACCEPT
# LG
-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp6-port-unreachable

-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
# don't match source alone - will prevent outer system from doing stuff.
-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT
# replies!
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# post/prerouting, must allow forward
# formerly for HTTP/S
#-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
#-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT

#-A FORWARD -j LOG --log-prefix "[dn42] forward"
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable

COMMIT

*mangle
-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
COMMIT

*nat
-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
COMMIT