...
You should allow protocol 41 (IPv6) packets from the HE endpoint:
iptables -A INPUT -s $IPv4_of_TunnelBroker -p ipv6 -j ACCEPT
Otherwise IPv6 traffic will only flow if you sent the first packet, in which case your ESTABLISHED,RELATED rule would be used.
Agreed. Also, your rule:
Quoteiptables -I INPUT 1 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
might not be the best choice to permit looped back packets.
Try these:
Quote-A INPUT -j ACCEPT -i lo
-A OUTPUT -j ACCEPT -o lo
-A INPUT -j ACCEPT -p ipv6 -s tserv15.lax1.ipv6.he.net (I use this tunnel)
-A OUTPUT -j ACCEPT -p ipv6 -d tserv15.lax1.ipv6.he.net (you could restrict this further)
and in "/etc/protocols":
Quoteipv6 41 IPV6 # ipv6
You should also get used to using iptables-restore instead of separate commands; it's more efficient for bringing up a firewall all at once.