rules.v6

*filter
:INPUT      DROP      [0:0]
:FORWARD    DROP      [0:0]
:OUTPUT     ACCEPT    [0:0]
--append INPUT --in-interface lo --match comment --comment "Allow loopback" --jump ACCEPT
--append INPUT --match conntrack --ctstate INVALID --match comment --comment "Drop invalid packets" --jump DROP
--append INPUT --match conntrack --ctstate NEW --protocol tcp ! --syn --match comment --comment "Reject new non-syn TCP" --jump REJECT --reject-with tcp-reset
--append INPUT --match conntrack --ctstate NEW --protocol udp --match udp --destination-port 546 --destination fe80::/64 --match comment --comment "DHCPv6 needs this special rule" --jump ACCEPT
--append INPUT --protocol ipv6-icmp --match limit --limit 20/second --limit-burst 50 --match comment --comment "ICMPv6 serves much more than ping" --jump ACCEPT
--append INPUT --match conntrack --ctstate RELATED,ESTABLISHED --match comment --comment "Normal traffic" --jump ACCEPT
COMMIT
# Latest revision on 2022-Feb-25 by Vlastimil Burian (info@vlastimilburian.cz)