What is the most restrictive way to allow IPv6 ICMP requests on iptables?

This is what I have so far but it is pretty open.

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -p ipv6-icmp -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT 

If you have time, explaining the rules would be amazing.

The reason behind IPv6 adoption rate dramatical drop in China according to Google measurements?

Google has an IPv6 measurement page that reports that their numbers report on the percentage of users that access Google over IPv6.

According to the report by Jan 2020 0.3% of users in China used IPv6 to access Google

However, looking at this metric in dynamic we see the substantial drop starting from June 2019. enter image description here

I failed to find any solid news that may cause such behavior. I have two hypotheses in mind.

  1. Also as it is a percentage metric, they can adjust their calculation on the total internet penetration rate in China.
  2. Previously open discussions between netizens took place on Google Plus groups. In April 2019, Google shut down Google Plus. Technical discussions continue on Chinese-language blogs, forums, and groups. For obvious reasons, discussions must be hosted outside China, and posters must register under pseudonyms. So probably that caused the shift from Google services but I hardly believe that it may cause such plummet.

Is it a Bad Idea™ to open all IPv6 ports for devices in an isolated guest network?

At home I have a dual-stack IPv4/IPv6 broadband connection, and I also have a wireless access point. The access point currently bridges all traffic into my LAN, which is not segmented in any way, so all visitors that use my wireless network have the full run of my LAN.

While I certainly do not doubt my friends’ good intentions I do see the possibility of their smartphones being compromised, and I’d rather not have compromised devices in my private LAN if I can help it. This, and also the fact that being in my private LAN does not gain my friends any benefits, makes me want to set up a separate wireless guest network, which I would then also use with my own smartphone.

I am currently considering opening all ports for incoming IPv6 TCP and UDP traffic for the devices in this separate guest network.

My reason for doing so is vastly improved service reliability. As a practical example, I use the Conversations XMPP chat app that does support sharing e.g. pictures, but this doesn’t work very well while both me and the other person are in our respective home LANs, presumably because neither of us has any ports open (IPv6) or forwarded (IPv4) for our smartphones.

Just to verify this hypothesis I opened all IPv6 ports for my smartphone only. And voilá, sharing pictures has been working flawlessly ever since.

The general implications of opening a router’s IPv6 firewall has been extensively discussed here, however I think my situation with the guest network for smartphones and other mobile devices is not quite comparable, because

  • Smartphones are designed for being directly connected to the internet any odd way, and therefore should not have problems with open IPv6 ports
  • It would only pertain to the totally separated guest network, any device in which would, from the view of a device in my LAN, just be any other device out there in the public internet

Is this sound reasoning, or is there something important I am not seeing?

Hiding rough whereabouts of a machine with IPv6, without using a proxy

Since I configured my smartphone Access Point Name (APN) of the type APN protocol from including the value IPv4 to including the value IPv4/IPv6, generally all different addresses I got after restarting my smartphone about 10 times, started with:


44c8 seems to me to stand for “Bangkok, Thailand”.

Although the question might seem absurd;
Is there is any way, besides surfing through a proxy IP address, for hiding rough whereabouts of a machine with IPv6?

Why since I configured my smartphone APN protocol to IPv4/IPv6 I (might) only have IPv6 addresses?

About a week ago I configured my smartphone Access Point Name (APN) of the type APN protocol from including the value IPv4 to including the value IPv4/IPv6, all IP addresses I recognized for my smartphone were IPv6 addresses.
I didn’t change the value for the APN type APN roaming protocol → its value is still IPv4 only.

I understand I can now have both IPv4 addresses and IPv6 addresses but the purpose of the following question is to understand the tendency I personally recognize for IPv6 (only?) addresses for my smartphone.

Why since I configured my smartphone APN protocol to IPv4/IPv6 I (might) only have IPv6 addresses? Is it a coincidence or the cause of some global standard cellular operators are now following?

How to set IP segment and connection string with IPv6?

For this PostgreSQL configuration example:


    local   replication   repmgr                              trust     host    replication   repmgr            trust     host    replication   repmgr          trust      local   repmgr        repmgr                              trust     host    repmgr        repmgr            trust     host    repmgr        repmgr          trust 

I have two questions.

Question 1

This is IPv4 type:

How to do with an IPv6 IP like: 230b:c010:103:5858:a6a3:3:0:1?

Question 2

If use jdbc to connect a PostgreSQL server can make string as How to do with IPv6? Is it like 230b:c010:103:5858:a6a3:3:0:1:5432?