*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -i tinc_dn42 -j ACCEPT

-A INPUT -p icmpv6 -j ACCEPT

# traceroute
-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
# DNS
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
# BGP
-A INPUT -p tcp --dport 179 -j ACCEPT
# LG
-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp6-port-unreachable

-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp6-port-unreachable

COMMIT

*mangle
-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
COMMIT

*nat
-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
COMMIT