Trying to get the basic firewall setup for IPv6 using ip6tables (this is on Ubuntu server 16.04). On the INPUT chain, whenever there is client-initiated IPv6 traffic (e.g. running 'apt update'), I get tons of packets from what I assume to be the gateway: from same network address as my IP address but ends in ::1 [64 bits of 0's ending in a 1]). If I drop this traffic, things run slow (e.g. 'apt update' takes quite a while to (successfully) complete). If I let these packets in, things are normal.
The problem is that I have read quite a bit on configuring ip6tables but nothing I have read so far mentions anything about this incoming 'gateway' traffic that isn't part of --ctstate ESTABLISHED,RELATED.
Also during this back and forth, I get some packets from the link-local address (fe08::1) destined to my actual public IP address. These are also being dropped as per my rules.
Here are my IPv6 rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
-A INPUT -j LOG --log-prefix "IPv6-DROP="
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Very basic initial setup. If IPv6 configuration is supposed to ACCEPT incoming from NETWORK-ADDRESS::1 and from fe08::1, why don't the tutorial sites and examples point this out? I only get barraged with these packets when I request something (e.g. 'apt update'). So, shouldn't they be included in the ctstate RELATED,ESTABLISHED? or the lo?