Network
ip6tables
Configure IPv6 firewall rules using netfilter.
Additional Notes
ip6tables is the IPv6 counterpart of iptables. It manages the netfilter firewall rules for IPv6 traffic on the Linux kernel. It operates on tables of chains containing rules that filter, modify, or redirect IPv6 packets based on criteria such as source/destination address, protocol, port, and interface.
The main tables are filter (default, for allowing or blocking packets), nat (for network address translation on IPv6), mangle (for packet header modification), raw (for connection tracking exemptions), and security (for SELinux marking). Each table contains built-in chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING) and user-defined chains for custom rule organization.
Syntax
ip6tables [options] command [chain] [match] [target/jump]
Parameters
command: Operation such as-A(append),-D(delete),-I(insert),-R(replace),-L(list),-F(flush),-P(policy),-N(new chain),-X(delete chain).chain: The chain to operate on (INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING, or a user-defined chain).match: Packet matching criteria (protocol, source/destination, interface, state, etc.).target/jump: Action to take (ACCEPT,DROP,REJECT,LOG,RETURN, or a user-defined chain).
Common Commands
-A chain: Append a rule to a chain.-D chain rule-num: Delete a rule by number.-I chain [num]: Insert a rule at the top (or at positionnum).-R chain num: Replace a rule.-L [chain]: List rules in a chain or all chains.-F [chain]: Flush (delete) all rules in a chain or all chains.-P chain target: Set the default policy for a chain.-N chain: Create a new user-defined chain.-X [chain]: Delete a user-defined chain.-S [chain]: Show the rules as they would be entered on the command line.-Z [chain]: Zero packet and byte counters.
Common Match Options
-p protocol: Match protocol (tcp,udp,icmpv6,esp,ah,all).-s address[/mask]: Source IPv6 address.-d address[/mask]: Destination IPv6 address.-i interface: Input interface (for INPUT, FORWARD, PREROUTING).-o interface: Output interface (for OUTPUT, FORWARD, POSTROUTING).--sport port[:port]: Source port (with-p tcpor-p udp).--dport port[:port]: Destination port (with-p tcpor-p udp).-m state --state states: Match connection state (NEW,ESTABLISHED,RELATED,INVALID).-m mac --mac-source address: Match source MAC address.-m limit --limit rate: Rate-limit matching.-m multiport --sports ports: Match multiple source ports.-m set --match-set setname: Match against an ipset.-j target: Jump to target (ACCEPT,DROP,REJECT,LOG,RETURN, or a chain).
Common Targets
ACCEPT: Allow the packet.DROP: Silently discard the packet.REJECT: Discard and send an ICMPv6 error back.LOG: Log the packet and continue to the next rule.RETURN: Return from the current chain to the calling chain.
Examples
sudo ip6tables -L
List all rules in the filter table.
sudo ip6tables -P INPUT DROP
Set the default policy for INPUT to DROP.
sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
Allow SSH (port 22) inbound.
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow packets belonging to established connections.
sudo ip6tables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Allow forwarding between interfaces.
sudo ip6tables -A INPUT -p icmpv6 -j ACCEPT
Allow all ICMPv6 traffic, which is essential for IPv6 neighbor discovery and autoconfiguration.
sudo ip6tables -A INPUT -s 2001:db8::/32 -j DROP
Drop all traffic from a specific IPv6 subnet.
Practical Notes
- IPv6 firewall configuration is critical because every globally routable IPv6 address can be reached directly. Without a firewall, all services are exposed.
- ICMPv6 is essential for IPv6 operation (NDP, autoconfiguration, path MTU discovery). Do not block all ICMPv6 indiscriminately. Allow
icmpv6with specific type/code filters or allow all ICMPv6. ip6tablesrules are separate fromiptables(IPv4) rules. Both must be configured independently.- Rules are processed in order. The first match wins (for the target), unless the target does not terminate.
- Rules are not persistent across reboots unless saved with
ip6tables-saveand restored at boot. - Tools like
ufwandfirewalldprovide higher-level interfaces toip6tablesand can manage both IPv4 and IPv6 rules together. - Connection tracking (
-m state) works for IPv6 similarly to IPv4 and is strongly recommended for stateful firewalls. - IPv6 neighbor discovery uses multicast addresses (
ff02::1,ff02::2, etc.) and ICMPv6 types 133-137. Blocking these will break network communication.