From f38d93ff605afa8863aef1d340104d00b93b15cf Mon Sep 17 00:00:00 2001
From: binhex <megalith01@gmail.com>
Date: Mon, 17 Jun 2019 17:27:47 +0100
Subject: [PATCH] drop iptables forward

---
 run/root/iptable.sh | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/run/root/iptable.sh b/run/root/iptable.sh
index 901e3c8..fb793ea 100644
--- a/run/root/iptable.sh
+++ b/run/root/iptable.sh
@@ -115,6 +115,15 @@ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 # accept input to local loopback
 iptables -A INPUT -i lo -j ACCEPT
 
+# forward iptable rules
+###
+
+# set policy to drop ipv4 for forward
+iptables -P FORWARD DROP
+
+# set policy to drop ipv6 for forward
+ip6tables -P FORWARD DROP 1>&- 2>&-
+
 # output iptable rules
 ###
 
@@ -124,9 +133,6 @@ iptables -P OUTPUT DROP
 # set policy to drop ipv6 for output
 ip6tables -P OUTPUT DROP 1>&- 2>&-
 
-# accept output from tunnel adapter
-iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT
-
 # accept output to/from docker containers (172.x range is internal dhcp)
 iptables -A OUTPUT -s "${docker_network_cidr}" -d "${docker_network_cidr}" -j ACCEPT
 
@@ -168,6 +174,9 @@ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 # accept output from local loopback adapter
 iptables -A OUTPUT -o lo -j ACCEPT
 
+# accept output from tunnel adapter
+iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT
+
 echo "[info] iptables defined as follows..."
 echo "--------------------"
 iptables -S