Basic setup for ip6tables - drop all traffic except local and LAN traffic.

ip6tables_setup.bash

#!/bin/bash

# http://ipset.netfilter.org/iptables.man.html
# Source: https://gist.github.com/velizarn/9c5bd160fa19161a4a761865d400f522

# flush (delete all rules)
ip6tables -F

# Set default chain policies
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

# This accepts ongoing traffic for any existing connections that we've already accepted through other rule:.
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept all ICMP packets. Unlike with IPv4, it's not a good idea to block ICMPv6 traffic as IPv6 is much more heavily dependent on it:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

# Accept all traffic from/to the local interface:
ip6tables -A INPUT -i lo -j ACCEPT

# Accept all IPv6 LAN traffic.
ip6tables -A INPUT -s fe80::/10 -j ACCEPT

# ----------------------------------------------------------------------------------------
# Custom rules go here
#
# ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ----------------------------------------------------------------------------------------

# At the end of our rules, we reject all traffic that didn't match a rule, using "port unreachable".
ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

# -------------------------------------------------
# Save configuration changes
ip6tables-save

# Restart ip6tables service
systemctl restart ip6tables.service

# List rules
ip6tables -S