From 760bc7409d8e689cb70eaf2aa662ebf8c368624b Mon Sep 17 00:00:00 2001
From: C24Be <c@24.be>
Date: Thu, 26 Mar 2026 10:37:06 +0100
Subject: [PATCH] readme files

---
 blacklists_iptables/README.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/blacklists_iptables/README.md b/blacklists_iptables/README.md
index d851931..9ba9704 100644
--- a/blacklists_iptables/README.md
+++ b/blacklists_iptables/README.md
@@ -20,14 +20,16 @@ ipset restore < blacklist-v4.ipset
 ipset restore < blacklist-v6.ipset
 ```
 
-Apply inbound rules to traffic connecting to the VM:
+Apply inbound rules to traffic connecting to the VM and forwarded through the host:
 
 ```bash
 iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
+iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
 ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
+ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
 ```
 
-### 2) Block VK outbound traffic for VPN clients via NAT/FORWARD
+### 2) Block VK outbound traffic
 
 Load VK IPv4 and IPv6 sets:
 
@@ -36,7 +38,14 @@ ipset restore < blacklist-vk-v4.ipset
 ipset restore < blacklist-vk-v6.ipset
 ```
 
-Apply forwarding rules for client egress traffic (replace `<VPN_IFACE>`):
+Apply OUTPUT rules for traffic originated on this host:
+
+```bash
+iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
+ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
+```
+
+If you also need to block forwarded VPN-client traffic via NAT, add FORWARD rules (replace `<VPN_IFACE>`):
 
 ```bash
 iptables -I FORWARD -i <VPN_IFACE> -m set --match-set blacklist-vk-v4 dst -j REJECT