Having just re-installed after far too long, I realised that I had at some point configured an iptables firewall. On a completely clean system, the firewall is set to allow all; even forwarding, this is bad.
For future spins of LMDE at least could we at least disable forwarding by setting the iptables policy to drop by default. Personally I usually allow all outbound, for inbound rules allow established or related and anything coming from the local subnet.
Maybe my settings are not ideal, but it's just my 2 cents.