For this lab, you'll use the same Ubuntu virtual machine that you used in the previous iptables labs. You'll leave the IPv4 firewall setup that's already there as is and create a new firewall for IPv6. Let's get started:

1. View your IPv6 rules, or lack thereof, by using the following command:

sudo ip6tables -L

2. Create the IPv6 firewall. Due to formatting constraints, I can't list the entire code block of commands here. You can find the respective commands in this chapter's directory, in the code file that you can download from the Packt Publishing website.
3. View the new ruleset by using the following command:

sudo ip6tables -L

4. Next, set up the mangle table rules for blocking invalid packets:

sudo ip6tables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

sudo ip6tables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

5. Save the new ruleset to a file in your own home directory, and then transfer the rules file to the proper location:

sudo ip6tables-save > rules.v6
sudo cp rules.v6 /etc/iptables/

6. Obtain the IPv6 address of the virtual machine by using the following command:

ip a

7. On the machine that you installed Nmap on, perform a Windows scan of the virtual machine's IPv6 address. The command will look like this, except with your own IP address:

sudo nmap -6 -sW fe80::a00:27ff:fe9f:d923

8. On the virtual machine, observe which rule was triggered by using the following command:

sudo ip6tables -t mangle -L -v

You should see non-zero numbers for the packet counters for one of the rules.

9. On the machine that you installed Nmap on, perform an XMAS scan of the virtual machine's IPv6 address. The command will look like this, except with your own IP address:

sudo nmap -6 -sX fe80::a00:27ff:fe9f:d923

10. As before, on the virtual machine, observe which rule was triggered by this scan:

sudo ip6tables -t mangle -L -v

That's the end of this lab – congratulations!

So far, you've seen the good, the bad, and the ugly of iptables. It's very flexible, and there's a lot of power in the iptables commands. If you're clever at shell scripting, you can create some rather complex shell scripts that you can use to deploy firewalld on the machines all across your network. 

On the other hand, getting everything right can be quite complex, especially if you need to consider that your machines have to run both IPv4 and IPv6, and that everything you do for IPv4 has to be done again for IPv6. (If you're a masochist, you might actually enjoy it.)