Do I have to block IPv4-mapped IP addresses in my IPv6 firewall?
I am writing the iplock tool to help me setup my Linux firewall. For the most part, my current strategy, since I don't yet use IPv6 much, is to pretty block everything IPv6 ("simple").
I would like to switch all my public facing services to using IPv6. So for that to happen, I first need a good plan for my firewall.
I know I can map an IPv4 address inside an IPv6 address (in other words, IPv6 includes all IPv4 addresses). Here is how an IPv4 is mapped inside an IPv6:
0000:0000:0000:0000:0000:FFFF:xxxx:xxxx
What I'm wondering is whether such an IPv6 address is routed through the iptables rules (IPv4) or the ip6tables (IPv6)? Since it would come through an IPv6 address, it would make sense to run it through ip6tables, but at the same time, I think it should go through the iptables since that special IPv6 address is supposed to just be an encapsulation. I could not find anything about such in the iptables(8) and ip6tables(8) man pages.
