What does the "-p ipv6' option of iptables mean?

[Toucanfan]

In the normal iptables (not ip6tables) it is possible to specify "ipv6" after the -p option, but i wonder what it does...
In an iptables-script i downloaded, it was stated that: "if you want to use ipv6 addresses, then enable this" (iptables -A INPUT -p ipv6 -j ACCEPT).

However, flushing the table and executing 'iptables -A INPUT -p ipv6 -j DROP' doesn't seem to drop ping probes from another host on the same link. I havn't had the possibility to test with ssh or nmap, as i dont know how to do that with link local addresses.

Can anyone please explain what that "ipv6" option does?

Thanks  ;D

[patrickdk]

the -p ipv6 is the ipv6 in ipv4 protocol (41), used for HE native tunnels.

to stop ipv6 pings, you would do, -p ipv6-icmp, or -p 58

If you wanted to stop ipv6 tcp packets, that would be much harder, cause ipv4 and ipv6 both use protocol 6 for tcp, as they should, cause the ipv4 and ipv6 id is on the ethernet header, not the ip header.

[Toucanfan]

Hi. Thankyou for explaining.
However, I tried appending -p 58 -j DROP to the INPUT chain of iptables, but I was still able to ping the host from another host (using link local address).
I assume this is because iptables only deals with ipv4 traffic, and the ICMPv6 number (58) is in the ipv6 next header field, right?
To deal with ipv6 traffic i will have to use ip6tables.

[patrickdk]

Yes, I thought about that alittle later.

iptables deals with all traffic coming in that has the ethernet ipv4 type id (tcp, udp, icmp, ...)

but

ip6tables is going to deal with all traffic with the ethernet ipv6 type id (tcp, udp, icmp6, ...)

So ya, have to use ip6tables to block protocol 58, as it should never be seen on ipv4

[Toucanfan]

Right, I understand it now. Should the thread be marked at solved or what is the common practice here?