+### Standard loopback stuff.
+
+## Don't clobber local traffic
+run ip46tables -A INPUT -i lo -j ACCEPT
+
+## We really shouldn't see packets destined for localhost on any interface
+## other than the loopback.
+run iptables -A INPUT -g bad-destination-address \
+ -d 127.0.0.0/8
+run ip6tables -A INPUT -g bad-destination-address \
+ -d ::1
+
+## We shouldn't be asked to forward things with link-local addresses.
+run iptables -A FORWARD -g bad-source-address \
+ -s 169.254.0.0/16
+run iptables -A FORWARD -g bad-destination-address \
+ -d 169.254.0.0/16
+run ip6tables -A FORWARD -g bad-source-address \
+ -s fe80::/10
+run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe80::/10