While IPv4 is structurally protected by NAT, IPv6 is always globally accessible without a firewall – completely without port sharing. This is precisely why an IPv6 firewall is not a “nice to have”, but a must.
IPv6: secure global reach and allow ICMPv6
I was surprised that my Raspberry Pi was immediately given a global IPv6 address. This means that it can be reached from outside without NAT. Without ip6tables, all IPv6 services are open – often without you even noticing.
The solution is an IPv6 firewall similar to the IPv4 configuration, but with one important difference: ICMPv6 should not be blocked, as otherwise functions such as neighbor discovery, router advertisements or MTU detection will no longer work reliably.
My IPv6 configuration – (XXXX for SSH must be replaced by your SSH port!):
# Allow loopback
sudo ip6tables -A INPUT -i lo -j ACCEPT
# Allow established connections
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (customize port)
sudo ip6tables -A INPUT -p tcp --dport XXXX -j ACCEPT
# Allow ICMPv6 unconditionally
sudo ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
# Rate limiting for HTTP
sudo ip6tables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW \
-m limit --limit 25/minute --limit-burst 100 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 80 -j DROP
# Rate limiting for HTTPS
sudo ip6tables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW \
-m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 443 -j DROP
# Set default policy
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT ACCEPT
Save rules:
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6" sudo netfilter-persistent save
This secures the Raspberry Pi under both IPv4 and IPv6. Ports 80 and 443 remain accessible, Let’s Encrypt continues to work without any problems and ICMPv6 ensures that the IPv6 network remains stable.