*raw
:PREROUTING ACCEPT [16844:4134331]
:OUTPUT ACCEPT [14817:3557010]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7035:765322]
-A INPUT -p icmpv6 --icmpv6-type echo-request -m recent --set
-A INPUT -p icmpv6 --icmpv6-type echo-request -m recent --update --seconds 10 --hitcount 5 -j DROP
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type unknown-header-type -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 153 -j ACCEPT
-I INPUT -p icmpv6 -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -p icmpv6 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m rt --rt-type 0 -j DROP
# Drop new connection unless they are SYN
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Needed for DHCPv6 client
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
