0
# IPv6 Support
1

2
Full IPv6 support with dedicated classes for handling IPv6 addresses, prefixes, and protocol-specific matching. The IPv6 implementation provides the same interface as IPv4 with IPv6-specific handling for addresses, networks, and protocol features.
3

4
## Capabilities
5

6
### IPv6 Table Management
7

8
IPv6 tables work identically to IPv4 tables but operate on the IPv6 netfilter framework. Available tables include filter, mangle, raw, and security (no NAT table in IPv6).
9

10
```python { .api }
11
class Table6(Table):
12
    """
13
    IPv6 version of Table class for managing ip6tables tables.
14
    Inherits all functionality from Table with IPv6-specific handling.
15
    """
16
    
17
    def __init__(self, name: str, autocommit: bool = None):
18
        """
19
        Initialize an IPv6 Table object.
20
        
21
        Args:
22
            name: Table name (filter, mangle, raw, security)
23
            autocommit: Enable automatic commits (default: True)
24
        """
25
```
26

27
### IPv6 Rule Management
28

29
IPv6 rules handle IPv6 addresses, prefix lengths, and IPv6-specific protocol features while maintaining the same interface as IPv4 rules.
30

31
```python { .api }
32
class Rule6(Rule):
33
    """
34
    IPv6 version of Rule class for managing ip6tables rules.
35
    Inherits all functionality from Rule with IPv6 address handling.
36
    """
37
    
38
    def __init__(self, entry=None, chain=None):
39
        """
40
        Initialize an IPv6 Rule object.
41
        
42
        Args:
43
            entry: Optional low-level rule entry
44
            chain: Optional parent chain
45
        """
46
```
47

48
### IPv6 Table Availability
49

50
Function to check which IPv6 tables are available in the current kernel configuration.
51

52
```python { .api }
53
def is_table6_available(name: str) -> bool:
54
    """
55
    Check if specified IPv6 table is available in kernel.
56
    
57
    Args:
58
        name: Table name to check (filter, mangle, raw, security)
59
        
60
    Returns:
61
        True if IPv6 table is available
62
    """
63
```
64

65
## Usage Examples
66

67
### Basic IPv6 Rule Creation
68

69
```python
70
import iptc
71

72
# Create IPv6 table and chain
73
table6 = iptc.Table6(iptc.Table.FILTER)
74
chain = iptc.Chain(table6, "INPUT")
75

76
# Create rule for IPv6 SSH access
77
rule = iptc.Rule6()
78
rule.protocol = "tcp"
79
rule.src = "2001:db8::/32"  # IPv6 network
80
rule.dst = "2001:db8::1/128"  # Specific IPv6 address
81

82
# Add TCP match
83
tcp_match = rule.create_match("tcp")
84
tcp_match.dport = "22"
85

86
# Set target
87
rule.target = rule.create_target("ACCEPT")
88

89
# Insert rule
90
chain.insert_rule(rule)
91
```
92

93
### IPv6 Address Handling
94

95
```python
96
import iptc
97

98
# Check if IPv6 filter table is available
99
if iptc.is_table6_available("filter"):
100
    table6 = iptc.Table6(iptc.Table.FILTER)
101
    chain = iptc.Chain(table6, "INPUT")
102
    
103
    # IPv6 rule with various address formats
104
    rule = iptc.Rule6()
105
    
106
    # Full IPv6 address
107
    rule.src = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
108
    
109
    # Compressed IPv6 address
110
    rule.dst = "2001:db8:85a3::8a2e:370:7334"
111
    
112
    # IPv6 network with prefix
113
    rule.src = "fe80::/64"  # Link-local network
114
    
115
    # IPv6 loopback
116
    rule.dst = "::1/128"
117
    
118
    rule.target = rule.create_target("ACCEPT")
119
    chain.insert_rule(rule)
120
```
121

122
### IPv6-Specific Protocol Matching
123

124
```python
125
import iptc
126

127
table6 = iptc.Table6(iptc.Table.FILTER)
128
chain = iptc.Chain(table6, "INPUT")
129

130
# Rule for ICMPv6 (IPv6 equivalent of ICMP)
131
rule = iptc.Rule6()
132
rule.protocol = "ipv6-icmp"
133

134
# Add ICMPv6 match for neighbor discovery
135
icmpv6_match = rule.create_match("icmp6")
136
icmpv6_match.icmpv6_type = "135"  # Neighbor Solicitation
137

138
rule.target = rule.create_target("ACCEPT")
139
chain.insert_rule(rule)
140

141
# Rule for IPv6 extension headers
142
rule2 = iptc.Rule6()
143
rule2.protocol = "tcp"
144

145
# Match IPv6 extension headers
146
hbh_match = rule2.create_match("hbh")  # Hop-by-Hop Options Header
147
hbh_match.hbh_len = "0"
148

149
rule2.target = rule2.create_target("DROP")
150
chain.insert_rule(rule2)
151
```
152

153
### Mixed IPv4/IPv6 Environment
154

155
```python
156
import iptc
157

158
# Function to create similar rules for both IPv4 and IPv6
159
def create_ssh_rule(ipv6=False):
160
    if ipv6:
161
        if not iptc.is_table6_available("filter"):
162
            print("IPv6 not supported")
163
            return
164
        table = iptc.Table6(iptc.Table.FILTER)
165
        rule = iptc.Rule6()
166
        rule.src = "2001:db8::/32"
167
    else:
168
        table = iptc.Table(iptc.Table.FILTER)
169
        rule = iptc.Rule()
170
        rule.src = "192.168.1.0/24"
171
    
172
    chain = iptc.Chain(table, "INPUT")
173
    rule.protocol = "tcp"
174
    
175
    tcp_match = rule.create_match("tcp")
176
    tcp_match.dport = "22"
177
    
178
    rule.target = rule.create_target("ACCEPT")
179
    chain.insert_rule(rule)
180

181
# Create rules for both IP versions
182
create_ssh_rule(ipv6=False)  # IPv4 rule
183
create_ssh_rule(ipv6=True)   # IPv6 rule
184
```
185

186
### IPv6 NAT Alternative (Port Forwarding)
187

188
Since IPv6 doesn't use NAT in the traditional sense, port forwarding and load balancing are handled differently:
189

190
```python
191
import iptc
192

193
# IPv6 doesn't have a NAT table, but you can do port redirection
194
table6 = iptc.Table6(iptc.Table.MANGLE)
195
chain = iptc.Chain(table6, "PREROUTING")
196

197
rule = iptc.Rule6()
198
rule.protocol = "tcp"
199
rule.dst = "2001:db8::1"
200

201
tcp_match = rule.create_match("tcp")
202
tcp_match.dport = "80"
203

204
# Use REDIRECT target for port redirection
205
redirect_target = rule.create_target("REDIRECT")
206
redirect_target.to_ports = "8080"
207

208
rule.target = redirect_target
209
chain.insert_rule(rule)
210
```
211

212
### IPv6 Firewall Example
213

214
```python
215
import iptc
216

217
def setup_ipv6_firewall():
218
    """Set up basic IPv6 firewall rules"""
219
    
220
    if not iptc.is_table6_available("filter"):
221
        print("IPv6 filtering not available")
222
        return
223
    
224
    table6 = iptc.Table6(iptc.Table.FILTER)
225
    
226
    # Get chains
227
    input_chain = iptc.Chain(table6, "INPUT")
228
    forward_chain = iptc.Chain(table6, "FORWARD")
229
    output_chain = iptc.Chain(table6, "OUTPUT")
230
    
231
    # Set default policies
232
    input_chain.set_policy(iptc.Policy.DROP)
233
    forward_chain.set_policy(iptc.Policy.DROP)
234
    output_chain.set_policy(iptc.Policy.ACCEPT)
235
    
236
    # Allow loopback traffic
237
    rule = iptc.Rule6()
238
    rule.in_interface = "lo"
239
    rule.target = rule.create_target("ACCEPT")
240
    input_chain.insert_rule(rule)
241
    
242
    # Allow established and related connections
243
    rule = iptc.Rule6()
244
    state_match = rule.create_match("state")
245
    state_match.state = "ESTABLISHED,RELATED"
246
    rule.target = rule.create_target("ACCEPT")
247
    input_chain.insert_rule(rule)
248
    
249
    # Allow ICMPv6 (important for IPv6 functionality)
250
    rule = iptc.Rule6()
251
    rule.protocol = "ipv6-icmp"
252
    rule.target = rule.create_target("ACCEPT")
253
    input_chain.insert_rule(rule)
254
    
255
    # Allow SSH from specific network
256
    rule = iptc.Rule6()
257
    rule.protocol = "tcp"
258
    rule.src = "2001:db8::/32"
259
    tcp_match = rule.create_match("tcp")
260
    tcp_match.dport = "22"
261
    rule.target = rule.create_target("ACCEPT")
262
    input_chain.insert_rule(rule)
263
    
264
    print("IPv6 firewall rules configured")
265

266
setup_ipv6_firewall()
267
```
268

269
### IPv6 Address Validation
270

271
```python
272
import iptc
273

274
def test_ipv6_addresses():
275
    """Test various IPv6 address formats"""
276
    
277
    table6 = iptc.Table6(iptc.Table.FILTER)
278
    chain = iptc.Chain(table6, "INPUT")
279
    
280
    # Test different IPv6 address formats
281
    ipv6_addresses = [
282
        "::1",                                      # Loopback
283
        "::",                                       # All zeros
284
        "2001:db8::1",                             # Compressed
285
        "2001:0db8:0000:0000:0000:0000:0000:0001", # Full
286
        "fe80::1",                                 # Link-local
287
        "ff02::1",                                 # Multicast
288
        "2001:db8::/32",                           # Network
289
        "fe80::/64"                                # Link-local network
290
    ]
291
    
292
    for addr in ipv6_addresses:
293
        try:
294
            rule = iptc.Rule6()
295
            rule.src = addr
296
            rule.target = rule.create_target("ACCEPT")
297
            
298
            # Test the rule (don't actually insert)
299
            print(f"Valid IPv6 address: {addr}")
300
            
301
        except Exception as e:
302
            print(f"Invalid IPv6 address {addr}: {e}")
303

304
test_ipv6_addresses()
305
```
306

307
## IPv6 vs IPv4 Differences
308

309
### Available Tables
310
- **IPv4**: filter, nat, mangle, raw, security
311
- **IPv6**: filter, mangle, raw, security (no nat table)
312

313
### Protocol Names
314
- **IPv4**: icmp
315
- **IPv6**: ipv6-icmp (or icmp6 for matches)
316

317
### Address Formats
318
- **IPv4**: Dotted decimal (192.168.1.1/24)
319
- **IPv6**: Hexadecimal with colons (2001:db8::1/64)
320

321
### Key Considerations
322
- IPv6 doesn't use NAT, focus on filtering and port redirection
323
- ICMPv6 is essential for IPv6 operation (neighbor discovery, etc.)
324
- Link-local addresses (fe80::/64) are important for local networks
325
- IPv6 extension headers provide additional matching capabilities