ip6tables: IPv6 packet filtering on the command line

Manage IPv6 firewall rules from the shell with precision and clarity.

15.06.2026 | reading time: 2 min

ip6tables is the Netfilter-based command-line tool to inspect, allow, reject or log IPv6 traffic at the kernel level; learn to write rules that protect a host or router and to persist them reliably.

Locking down SSH over IPv6

Scenario: a server must accept SSH only from a management subnet and drop other inbound IPv6 traffic; implement this with a few rules and verify them with the listing command. ```bash # allow established traffic first ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow SSH from management subnet ip6tables -A INPUT -p tcp --dport 22 -s 2001:db8:1::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # drop everything else arriving at INPUT ip6tables -P INPUT DROP # show rules ip6tables -S ``` Sample output from `ip6tables -S` after the commands: ```text -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -s 2001:db8:1::/64 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT ```

Power features to try

Try tables and chains beyond the default filter table, use `ip6tables -t mangle` for packet mangling, and manage rules with `-A`, `-I`, `-D`, `-L`, `-S`, `-F` and `-Z`; persist rules with `ip6tables-save` and `ip6tables-restore` or a distribution-specific service, and apply matches like conntrack, limit, or IPv6-extension headers to build robust policies.

Complementary tools and workflows

ip6tables sits in an ecosystem: nftables is the modern replacement that unifies IPv4/IPv6, conntrack-tools inspect connection tracking state, and iproute2 configures routes and policy routing which often pairs with firewall rules; also consider router advertisement tools like radvd on IPv6 networks.

Next steps

Mastering ip6tables means practicing rule order, testing in a lab, and learning to recover from lockouts; expand your skills toward nftables and network management and consider formal certification like CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy to level up.

Join Bits & Bytes Academy First class LINUX exam preparation.

network security utilities