On Wed, 09 Apr 2014 08:18:23 -0700, Dave Taht said:
> It is not clear if this could be used to protect things inside the
> firewall (switching to a forward rather than input table), nor if it
> could be used with ipv6.

It will require adjusting the 52= in the rule, but otherwise should be
OK for IPv6.

For that matter, the ruleset as given is probably busticated when IP or TCP
options are present, because it assumes a hard-coded offset.