drop iptables forward

run/root/iptable.sh

@@ -115,6 +115,15 @@ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 # accept input to local loopback
 iptables -A INPUT -i lo -j ACCEPT
 
+# forward iptable rules
+###
+
+# set policy to drop ipv4 for forward
+iptables -P FORWARD DROP
+
+# set policy to drop ipv6 for forward
+ip6tables -P FORWARD DROP 1>&- 2>&-
+
 # output iptable rules
 ###
 
@@ -124,9 +133,6 @@ iptables -P OUTPUT DROP
 # set policy to drop ipv6 for output
 ip6tables -P OUTPUT DROP 1>&- 2>&-
 
-# accept output from tunnel adapter
-iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT
-
 # accept output to/from docker containers (172.x range is internal dhcp)
 iptables -A OUTPUT -s "${docker_network_cidr}" -d "${docker_network_cidr}" -j ACCEPT
 
@@ -168,6 +174,9 @@ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 # accept output from local loopback adapter
 iptables -A OUTPUT -o lo -j ACCEPT
 
+# accept output from tunnel adapter
+iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT
+
 echo "[info] iptables defined as follows..."
 echo "--------------------"
 iptables -S