Some time ago I was asked why IPv6 wasn’t working. The customer had just configured some ipv6tables rules and IPv6 stopped working. See if you can spot the error in the following example rule set:

ip6tables -A INPUT -p ICMP -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh  -j ACCEPT
ip6tables -A INPUT -j DROP

The mistake is in line one. In IPv6 neighbor discovery and other functions rely on ICMPv6 which is a different protocol then ICMP. Some how ip6tables is fine with loading the ICMP protocol.

Here is the correct version:

ip6tables -A INPUT -p ICMPv6 -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh  -j ACCEPT
ip6tables -A INPUT -j DROP

Note that this is a very minimal example and you shouldn’t allow ICMPv6 completely. RFC4890 has recommendations for ICMPv6 filtering.