ip6tables

View documentation for the original command

$ tldr iptables

ip6tables [-t table] {-[A|D|I] chain [rulenum]|-[L|F|Z|X] [chain]|-N chain|-E oldchain newchain|-P chain target|-R chain rulenum} [-j target] [match extensions] [generic options]

-A, --append chain
    Append one or more rules to the end of the named chain

-D, --delete chain rulenum|rule-spec
    Delete one or more rules from the named chain

-I, --insert chain [rulenum]
    Insert one or more rules at the specified position in chain

-L, --list [chain]
    List all rules in the selected chain or all chains

-F, --flush [chain]
    Delete all rules in the selected chain or all chains

-N, --new-chain chain
    Create a new user-defined chain

-X, --delete-chain [chain]
    Delete the specified user-defined chain

-P, --policy chain target
    Set the policy for the built-in chain to target

-Z, --zero [chain]
    Zero the packet and byte counters in all chains

-t, --table table
    Specify table: filter (default), nat, mangle, raw, security

-j, --jump target
    Target: ACCEPT, DROP, REJECT, RETURN, LOG, etc.

-i, --in-interface name
    Interface name for incoming packets

-o, --out-interface name
    Interface name for outgoing packets

-s, --source ! address[/mask]
    Source IPv6 specification

-d, --destination ! address[/mask]
    Destination IPv6 specification

-p, --protocol proto
    Protocol: tcp, udp, icmpv6, all, etc.

--dport, --sport port
    Destination/source port or port range

-n, --numeric
    Numeric output of addresses/ports

-v, --verbose
    Verbose output

ip6tables is a powerful command-line utility for configuring the netfilter framework's IPv6 packet processing tables in the Linux kernel. It enables administrators to define rules for filtering, NAT, mangling, and security policies on IPv6 traffic.

Similar to iptables for IPv4, ip6tables organizes rules into tables (filter, nat, mangle, raw, security), each containing chains like INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING. Rules specify matches (source/destination IP, ports, protocols) and targets (ACCEPT, DROP, REJECT, LOG).

Key operations include appending (-A), inserting (-I), deleting (-D), listing (-L), flushing (-F), and setting policies (-P). Matches extend to stateful tracking (--state), connection specs (--ctstate), and extensions like conntrack or string matching. Counters track bytes/packets per rule.

Requires root privileges and kernel netfilter IPv6 modules (nf_tables or legacy ip6tables). Rules are lost on reboot unless saved with ip6tables-save. Modern systems favor nftables for unified IPv4/IPv6 management.

Requires root privileges; rules non-persistent across reboots without ip6tables-save/ip6tables-restore. Legacy in favor of nftables; kernel must support IPv6 netfilter. Complex rules can impact performance.

filter: Packet acceptance (default).
nat: Network Address Translation.
mangle: Packet alteration.
raw: Pre-conntrack marking.

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
Allow IPv6 HTTP traffic.

ip6tables -P INPUT DROP
Set default drop policy.

ip6tables-save > /etc/ip6tables.rules
Persist rules.

Introduced in Linux kernel 2.6.20 (2007) with full IPv6 netfilter support, building on earlier experimental patches from 2003. Developed by Netfilter Core Team (Harald Welte et al.). Widely used until nftables (kernel 3.13+, 2014) unified IPv4/IPv6 rule management.

iptables(8), ip6tables-save(8), ip6tables-restore(8), nft(8), tc(8)