ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
## Guaranteed black hole. Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
run ebtables -A check-bcp38 -j bcp38 -p ip6
run ebtables -A FORWARD -j check-bcp38 -o bond0
-## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it
+## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it
## misparses (at least) locally originated multicast packets, and tries to
## extract IP header fields relative to the start of the Ethernet frame. The
## result is obviously a hideous mess. Don't try to do BCP38 checking for