I use FireHOL as my iptables helper. FireHOL has proven very effective in managing complex set of rules, including multiple interfaces and protocols, “strong” protection against several types of attacks, and other stuff that would take me a huge amount of time to take care of. And, when it comes to security, analysis time is paralysis time.
However, FireHOL isn’t particularly aware of IPv6, rest alone tunneling techniques, such as Teredo or 6to4. 6to4 does encapsulate IPv6 traffic on top of IPv4 traffic to an anycast address (in most scenarios) and iptables does support protocol filtering using numeric code 41 which equals to ‘ipv6’.
A solution: create a new interface with matching rules to proto 41, and then set your restrictions accordingly:
interface eth0 6tunnel proto 41 # Example policy policy accept server all accept client all accept
If you’re not using FireHOL, and rather some homebrew iptables script, you could always use -p 41
6to4 is a very effective way to start using IPv6 if you have an static, globally routeable IPv4 address. ifupdown provides a very elegant way of managing it, which is documented in Debian’s wiki.