*filter

# default policy is DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

# allow esp
-A INPUT  -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT

# allow IKE
-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT

# allow MobIKE
-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT

# allow last UDP fragment
-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT

# allow ICMPv6 neighbor-solicitations
-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT

# allow ICMPv6 neighbor-advertisements
-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

# allow crl and certificate fetch from winnetou
-A INPUT  -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT

# log dropped packets
-A INPUT  -j LOG --log-prefix " IN: "
-A OUTPUT -j LOG --log-prefix " OUT: "

COMMIT