When using a Raspberry Pi behind a NAT firewall, it is common to discover that local services are accessible to the world when IPv6 is allowed by the provider. To prevent this, I will discuss how to set up a firewall for IPv6 on the Raspberry Pi.

IP6Tables

I was surprised to learn that there are two types of iptables: the classic iptables for IPv4 and ip6tables for IPv6. In our discussion, we will cover how to configure IPv6 tables to persist even after rebooting the Raspberry Pi.

Service

First, you need to create an IPv6 tables service that will initiate before networking and load the IPv6 rules.

/etc/systemd/system/ip6tables.service

[Unit]
Description=Packet Filtering Framework
Before=network.target
DefaultDependencies=no

[Service]
Type=oneshot
ExecStart=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecReload=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecStop=/sbin/ip6tables -F
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Next, we will only allow ICMP ping requests and open connections.

/etc/ip6tables.ipv6.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [280:28349]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Don't forget to enable the service.

systemctl enable --now ip6tables

And that's all you need to do.