|
|
|
|
@ -17,6 +17,10 @@ COMMIT
|
|
|
|
|
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
|
|
|
|
|
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
|
|
|
|
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
|
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
|
|
|
|
|
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
|
|
|
|
|
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
|
|
|
|
|
-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
|
|
|
|
|
# TODO:
|
|
|
|
|
# The IP of the resolver should be bound to a DUMMY interface.
|
|
|
|
|
# DUMMY interfaces are the proper way to install IPs without assigning them any
|
|
|
|
|
|
Jack Ivanov
8 years ago