A router doesn't support ipv6. There is a machine connected to the router, that is assigned an ipv4 address by the router. The machine uses firewall software.
Setting up the machine's firewall, all incoming traffic to the machine needs to be blocked except for one service. Is it enough for the machine's firewall to accept / reject ipv4 packets only, or should it also be set up to accept/reject ipv6 packets?
The other answers are misleading, so here is my take:
Yes, you should block IPv6 on the machines firewall or disable IPv6 on the machine altogether.
Here is why:
While the router may not support IPv6 (at this moment) and thus no IPv6 traffic is routed from external devices, the router does act as a Level 2 switch as well, so internally - because IPv6 works fine without a DHCP server - IPv6 traffic might work fine.
Now, since IPv6 is the only way to access some services today, one of your users might establish a IPv6 tunnel through IPv4 (which is possible and not very hard to do) to use this services.
If now the tunnel and/or the machine is badly configured, if may act as an IPv6 router through the IPv4 connection, turning the tides on the whole „IPv6 packets cannot reach that machine“.
It is also worth noting that even leaving the ports open to internal users might pose a security risk. This usually applies to people now knowing about IPv6 being enabled and defining firewall rules for IPv4 and think they are done, until whatever malware (android? Those are basically unpatched carriers of malware to begin with) gains access to your network.
If the router doesn't support IPv6, it won't route IPv6 packets, so you don't have to worry about IPv6 attacks from the internet (as others have said).
It's probably still worthwhile setting up firewall rules for IPv6, though, to protect against malicious traffic originating from your local network (smart TV, your friend's infected laptop, etc.).
If you don't actually use IPv6, you really just need 1 rule.
As mentioned by others, the fact that the router is IPv4 could change (with a software upgrade, new router, etc.). So a complete firewall needs both, IPv4 and IPv6.
One thing that you cannot do is DROP everything going through IPv6. This is because more and more services make use of IPv6 locally.
One way to block IPv6 is to use the following rules:
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j DROP
COMMIT
That way lo traffic still goes through and anything else gets blocked.
If you need to know what gets blocked, you can LOG just before you DROP packets. For example, add those just before the corresponding DROP:
-A INPUT -j LOG --log-prefix "[iptables] reject_ipv6: " --log-uid
-A OUTPUT -j LOG --log-prefix "[iptables] reject_ipv6: " --log-uid
Note: As written, these rules can be applied using ip6tables-restore.
Logging can generate a lot of data in your syslog (where it goes by default on Linux). If you want to redirect the logs, look at man rsyslog.conf. On my end I use the following two lines:
:msg,contains,"[iptables]" /var/log/iptables/iptables.log
& stop
This assumes the log messages start with "[iptables]". The & stop rule means you drop the messages after they were saved in your iptables.log file.
Make sure setup a logrotate entry to rotate the resulting log file, otherwise it will fill up your drive quickly.
If the router doesn't support IPv6, you don't need to do anything since it cannot route those packets at all.
You can easily check. If your router supports IPv6 at all, it will have a number of settings that relate to it. Typically there will also be a flag that turns it off completely.
You can also check on a PC by connecting to the router and rebooting. If your network connection has an IPv6 address starting FE00 (link local) or FC00 or FDnn (Unique Local Addresses - ULA) then you have a non-routable address that cannot be routed over the Internet.
