*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# accept incoming traffic on internal intfs.
-A INPUT -i lo -j ACCEPT
-A INPUT -i internal+ -j ACCEPT
-A INPUT -i usb+ -j ACCEPT
# disallow forwarding of packets to mgmt network
-A FORWARD -o ma+ -j DROP
# drop all routed NS packets
-A FORWARD -p icmpv6 --icmpv6-type neighbor-solicitation -j DROP
-A FORWARD -j ACCEPT
# No need to filter the output
-A OUTPUT -j ACCEPT
COMMIT
# disable conntrack reassembly for software-routed packets
*raw
-A PREROUTING -m mark --mark 13429 -j CT --notrack 
COMMIT
