*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# ============================================================
# Stateful connection tracking
# ============================================================

# Allow established and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ============================================================
# Loopback interface - always allow
# ============================================================

-A INPUT -i lo -j ACCEPT

# ============================================================
# ICMPv6 - required for IPv6 neighbor discovery
# ============================================================

-A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

# ============================================================
# Link-local addresses only
# ============================================================

-A INPUT -s fe80::/10 -j ACCEPT

# ============================================================
# Default deny - drop everything not explicitly allowed
# ============================================================

-A INPUT -j DROP

COMMIT