ip6tables

View documentation for the original command

$ tldr iptables

ip6tables [-t table] [command] [chain] [rule-specification] [options]

Common commands:
ip6tables -A chain rule-specification
ip6tables -D chain rule-specification | rulenum
ip6tables -I chain [rulenum] rule-specification
ip6tables -R chain rulenum rule-specification
ip6tables -L [chain] [-v] [-n] [--line-numbers]
ip6tables -F [chain]
ip6tables -Z [chain]
ip6tables -N chain
ip6tables -X [chain]
ip6tables -P chain target
ip6tables -E old-chain-name new-chain-name

-A, --append chain rule-specification
    Appends one or more rules to the end of the specified chain.

-D, --delete chain rule-specification | rulenum
    Deletes one or more rules from the specified chain, either by exact match or by rule number.

-I, --insert chain [rulenum] rule-specification
    Inserts one or more rules at the specified rulenum (default is 1, the beginning) in the chain.

-R, --replace chain rulenum rule-specification
    Replaces a rule at the specified rulenum in the chain.

-L, --list [chain]
    Lists all rules in a specific chain, or all chains if none is specified.

-F, --flush [chain]
    Deletes all rules from the specified chain, or all chains if none is specified.

-Z, --zero [chain]
    Resets the packet and byte counters for all rules in the specified chain, or all chains.

-N, --new-chain chain
    Creates a new user-defined chain.

-X, --delete-chain [chain]
    Deletes the specified user-defined chain. The chain must be empty and not referenced by any other rule.

-P, --policy chain target
    Sets the default target (policy) for a built-in chain (e.g., ACCEPT, DROP).

-E, --rename-chain old-chain-name new-chain-name
    Renames a user-defined chain.

-p, --protocol protocol
    Matches packets for a specified protocol (e.g., tcp, udp, icmpv6).

-s, --source address[/mask]
    Matches packets originating from the specified source address or network.

-d, --destination address[/mask]
    Matches packets destined for the specified destination address or network.

-j, --jump target
    Specifies the target of the rule, which is the action to take (e.g., ACCEPT, DROP, REJECT, LOG, or a user-defined chain).

-m, --match module
    Specifies an extended match module to use (e.g., state for connection tracking, multiport for multiple ports).

-i, --in-interface name
    Matches packets entering via the specified network interface.

-o, --out-interface name
    Matches packets exiting via the specified network interface.

-t, --table table
    Specifies the table to operate on (e.g., filter, nat, mangle, raw, security). Default is filter.

-v, --verbose
    Enables verbose output when listing rules, showing interface names and options with their full names.

-n, --numeric
    Displays IP addresses and port numbers in numeric format, avoiding DNS lookups.

--line-numbers
    Shows rule line numbers when listing rules, useful for deletion or replacement by number.

-h, --help
    Shows the help message for the command.

ip6tables is the command-line utility used to set up, maintain, and inspect the IPv6 packet filter rules in the Linux kernel. It is a fundamental component of the Netfilter framework, allowing system administrators to define rules for network packets based on various criteria, such as source/destination IP addresses, protocols, ports, and interfaces.

The rules are organized into tables, each serving a specific purpose (e.g., filter for basic packet filtering, mangle for modifying packet headers, nat for Network Address Translation, though less common with IPv6's ample address space). Within each table, rules are further organized into chains (e.g., INPUT for incoming packets, FORWARD for packets routed through the system, OUTPUT for outgoing packets). When a packet traverses a chain, each rule is evaluated in order until a match is found and a target action (like ACCEPT, DROP, or REJECT) is applied, or the chain's default policy is hit.

ip6tables is crucial for securing IPv6-enabled systems by controlling network access, preventing unauthorized connections, and managing network traffic flow.

• Root Privileges: ip6tables requires root privileges to modify firewall rules.
• Volatile Rules: Rules set with ip6tables are stored in the kernel's memory and are lost upon reboot. To make rules persistent, they must be saved using ip6tables-save and restored at boot using ip6tables-restore, or by using a persistence service like ip6tables-persistent.
• Rule Order: The order of rules within a chain is critical. Packet processing stops at the first matching rule, so broad rules should generally come after specific rules.
• Complexity: Misconfigurations can easily lead to unintended network access, security vulnerabilities, or complete network lockout. Careful planning and testing are essential.
• Superseded by nftables: In newer Linux distributions, nftables is the recommended successor, unifying firewall management for both IPv4 and IPv6. ip6tables may exist as a compatibility layer on top of nftables in these environments.

ip6tables organizes rules into distinct tables, each designed for a specific type of packet processing:

• filter: The default table. Used for basic packet filtering (allowing or blocking packets). Contains INPUT, FORWARD, OUTPUT built-in chains.
• nat: Used for Network Address Translation. While less common for IPv6 due to its large address space, it can still be used for specific NAT scenarios. Contains PREROUTING, OUTPUT, POSTROUTING built-in chains.
• mangle: Used for altering packet headers (e.g., modifying TTL, TOS, or setting QoS marks). Contains PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING built-in chains.
• raw: Used for processing packets before they are handled by connection tracking, primarily to exclude traffic from stateful inspection. Contains PREROUTING, OUTPUT built-in chains.
• security: Used for Mandatory Access Control (MAC) networking rules, often in conjunction with security frameworks like SELinux. Contains INPUT, FORWARD, OUTPUT built-in chains.

Each table has predefined built-in chains that correspond to specific points in the packet's journey through the network stack:

• INPUT: For packets destined for the local host itself.
• FORWARD: For packets that are being routed through the local host to another destination.
• OUTPUT: For packets originating from the local host and going out.
• PREROUTING: For packets arriving at the network interface, before routing decisions. (Used in nat, mangle, raw tables)
• POSTROUTING: For packets leaving the network interface, after routing decisions. (Used in nat, mangle tables)

When a rule matches a packet, a target determines the action to take:

• ACCEPT: Allows the packet to pass and continue its journey.
• DROP: Silently discards the packet. No error message is sent back to the sender.
• REJECT: Discards the packet and sends an appropriate error message (e.g., ICMPv6 Port Unreachable) back to the sender.
• LOG: Logs information about the packet to the system log (e.g., syslog). The packet then continues to traverse the chain.
• RETURN: Stops processing the current chain and returns to the calling chain (if it was a jump to a user-defined chain).
• JUMP to custom chain: Directs the packet to a user-defined chain for further processing.

ip6tables is part of the Netfilter project, which provides stateful packet filtering, Network Address Translation (NAT), and other packet manipulation capabilities for the Linux kernel. It was developed to specifically handle IPv6 traffic, mirroring the functionality of iptables for IPv4. Prior to ip6tables, IPv6 firewalling was handled by less capable tools. Since its introduction, ip6tables has been the standard command for configuring IPv6 firewall rules on Linux systems for many years.

While still widely used and supported, newer Linux distributions are transitioning towards nftables, a more modern and flexible packet filtering framework that aims to supersede both iptables and ip6tables by providing a single command-line tool for managing both IPv4 and IPv6 rules with a more consistent syntax and improved performance.

iptables(8), nft(8), nftables(8), ip6tables-save(8), ip6tables-restore(8), ip(8), conntrack(8)