Otdfbt

What is to the west of Westeros?

Complications of displaced core material?

Why did it take so long for Germany to allow electric scooters / e-rollers on the roads?

How does the Earth's center produce heat?

I want to ask company flying me out for office tour if I can bring my fiance

What happened to the Dothraki in S08E06?

Why A=2 and B=1 in the call signs for Spirit and Opportunity?

Fill area of x^2+y^2>1 and x^2+y^2>4 using patterns and tikzpicture

Using too much dialogue?

Knight's Tour on a 7x7 Board starting from D5

Physical only checkdb is failing, but full one is completed successfully

How to teach an undergraduate course without having taken that course formally before?

Why is this integration method not valid?

The disk image is 497GB smaller than the target device

Possibility of faking someone's public key

Flatten not working

Ribbon Cable Cross Talk - Is there a fix after the fact?

resolution bandwidth

Maximum interval between Alto & Tenor, & intervals when writing for SATB

Was this scene in S8E06 added because of fan reactions to S8E04?

Is keeping the forking link on a true fork necessary (Github/GPL)?

Goldfish unresponsive, what should I do?

What could be my risk mitigation strategies if my client wants to contract UAT?

Why Emacs (dired+) asks me twice to delete file?

ip6tables on IPv4 only host

Filtering IPv6 ICMPv6 messagesI am not able to ping the IPv6 address asigned to the interface on CentOS 5Why is connecting to a web server listening on an IPv6 link-local address unreliable / How is IPv6 neighbor discovery expected to work?On IPv6 linux router, autoconf and accept router advertisements for single interfaceipv6 to ipv4 translation in switchDifferences between iptables and ip6tables processing of packetsHow do I send network packets from an ipv4 address (with port forwarding) to an ipv6 address (no port forwarding) without STUN?Allow outgoing IPv6 connections for VPN clientsIPv6 traffic from 0001 and Link Local (FE80::1)Route IPv6 traffic through IPv4 tunnel

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

If external interface has only IPv4 address assigned and IPv6 automatic link local, does it make sense to set up ip6tables? I'm asking as I am not sure how it works exactly. If, for example some encapsulating technology is used to provide 6-to-4 connection from IPv6-only endpoint, then on the host inbound interface will it show up as IPv4 or v6 address? Or just to play safe and DROP all IPv6 INPUT traffic?

iptables ipv6

share|improve this question

asked May 9 at 5:17

mc88mc88

31

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  It makes the most sense to setup ip6tables, and then setup IPv6 connectivity.
  
  – womble♦
  May 9 at 6:09
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What if I want to keep the host IPv4 only? In this case is ip6tables gonna ever be used?
  
  – mc88
  May 9 at 6:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  That isn't a practical option.
  
  – womble♦
  May 9 at 6:20
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Aside being practical or not. I would assume that ip6tables would not be used at all then. Am I correct then?
  
  – mc88
  May 9 at 6:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  if you don't want to use ipv6 you can even disable it (and not even get the link local address): disable_ipv6.
  
  – A.B
  May 9 at 7:31
  

  
  
  
  

 | 
show 1 more comment

0

If external interface has only IPv4 address assigned and IPv6 automatic link local, does it make sense to set up ip6tables? I'm asking as I am not sure how it works exactly. If, for example some encapsulating technology is used to provide 6-to-4 connection from IPv6-only endpoint, then on the host inbound interface will it show up as IPv4 or v6 address? Or just to play safe and DROP all IPv6 INPUT traffic?

iptables ipv6

share|improve this question

asked May 9 at 5:17

mc88mc88

31

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  It makes the most sense to setup ip6tables, and then setup IPv6 connectivity.
  
  – womble♦
  May 9 at 6:09
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What if I want to keep the host IPv4 only? In this case is ip6tables gonna ever be used?
  
  – mc88
  May 9 at 6:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  That isn't a practical option.
  
  – womble♦
  May 9 at 6:20
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Aside being practical or not. I would assume that ip6tables would not be used at all then. Am I correct then?
  
  – mc88
  May 9 at 6:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  if you don't want to use ipv6 you can even disable it (and not even get the link local address): disable_ipv6.
  
  – A.B
  May 9 at 7:31
  

  
  
  
  

 | 
show 1 more comment

If external interface has only IPv4 address assigned and IPv6 automatic link local, does it make sense to set up ip6tables? I'm asking as I am not sure how it works exactly. If, for example some encapsulating technology is used to provide 6-to-4 connection from IPv6-only endpoint, then on the host inbound interface will it show up as IPv4 or v6 address? Or just to play safe and DROP all IPv6 INPUT traffic?

iptables ipv6

share|improve this question

asked May 9 at 5:17

mc88mc88

31

share|improve this question

asked May 9 at 5:17

mc88mc88

31

share|improve this question

asked May 9 at 5:17

mc88mc88

31

asked May 9 at 5:17

mc88mc88

31

asked May 9 at 5:17

mc88mc88

31

1 Answer
1

active

oldest

votes

0

Where you have an IPv4 firewall, configure an IPv6 firewall like ip6tables. Not doing so is like having a second door to a space that you do not lock because you have not seen anyone use it yet.

Know your network's flows and set firewall policy accordingly. Dropping all traffic may break things. Disabling IPv6 on the interface is better because it will not pull addresses at all.

Creating an IPv6 address plan and using it is better still. You can create logically laid out subnets for your sites and zones, then firewall based on that.

share|improve this answer

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966498%2fip6tables-on-ipv4-only-host%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Where you have an IPv4 firewall, configure an IPv6 firewall like ip6tables. Not doing so is like having a second door to a space that you do not lock because you have not seen anyone use it yet.

Know your network's flows and set firewall policy accordingly. Dropping all traffic may break things. Disabling IPv6 on the interface is better because it will not pull addresses at all.

Creating an IPv6 address plan and using it is better still. You can create logically laid out subnets for your sites and zones, then firewall based on that.

share|improve this answer

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

add a comment | 

0

Where you have an IPv4 firewall, configure an IPv6 firewall like ip6tables. Not doing so is like having a second door to a space that you do not lock because you have not seen anyone use it yet.

Know your network's flows and set firewall policy accordingly. Dropping all traffic may break things. Disabling IPv6 on the interface is better because it will not pull addresses at all.

Creating an IPv6 address plan and using it is better still. You can create logically laid out subnets for your sites and zones, then firewall based on that.

share|improve this answer

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

add a comment | 

Where you have an IPv4 firewall, configure an IPv6 firewall like ip6tables. Not doing so is like having a second door to a space that you do not lock because you have not seen anyone use it yet.

Know your network's flows and set firewall policy accordingly. Dropping all traffic may break things. Disabling IPv6 on the interface is better because it will not pull addresses at all.

Creating an IPv6 address plan and using it is better still. You can create logically laid out subnets for your sites and zones, then firewall based on that.

share|improve this answer

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

share|improve this answer

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714

answered May 9 at 15:05

John MahowaldJohn Mahowald

10.2k1714