Thanks - I think that was the piece I was missing.  When I think about it in terms of INPUT=router, FORWARD=behind router, and output=stuff generated to go out combined with the fact that order in the chain matters - it all makes a lot more sense.

Thanks!

Hi all

I am having trouble opening up ports and seeing machines behind my router.  I am pretty sure I have the router and tunnel set up correctly because I can ping6 ipv6.google.com from both my machine on my lan and router itself.  When I do a port scan though with the port scan tools here, no matter if it is the tunnel end, my router, or machine on my lan - I can't reach them at all.
Following are my ip6tables rules

Code:

iptables -I INPUT 1 -s 216.218.226.238  -p 41 -j ACCEPT
iptables -A input_wan -s 216.218.226.238 -p 41 -j ACCEPT

ip6tables -F

# Allow ICMPv6 everywhere
ip6tables -A INPUT  -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT

#Allow tcp everywhere
#ip6tables -A INPUT -p tcp -j ACCEPT
#ip6tables -I OUTPUT -p tcp -j ACCEPT
#ip6tables -I FORWARD -p tcp -j ACCEPT



# Allow anything on the local loopback link
ip6tables -A INPUT  -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o henet -j ACCEPT

# Allow the localnet access us:
ip6tables -A INPUT  -i br-lan -j ACCEPT
ip6tables -A OUTPUT -o br-lan -j ACCEPT

# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-henet -s 2001:470:b:314::/64  -j ACCEPT
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow MLDHT packects
ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT

ip6tables -A FORWARD -p tcp --dport 22:22 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 22:22 -j ACCEPT

#drop priviledged ports
#ip6tables -A INPUT -p tcp --dport 1:1024 -j DROP
#ip6tables -A INPUT -p udp --dport 1:1024 -j DROP

#log the activity that will get dropped (optional)
#ip6tables -A INPUT -j LOG
#ip6tables -A FORWARD -j LOG
#ip6tables -A OUTPUT -j LOG

# Set the default policy
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP

I thought that the following lines would open up port 22:

ip6tables -A FORWARD -p tcp --dport 22:22 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 22:22 -j ACCEPT

and that because there is no NAT in ipv6, that it would get routed to the right place depending on the address I put into the tool.
(Either  2001:470:b:314::1 (router) or  2001:470:b:314:204:4bff:fe05:5eea (machine behind router)  I ssh into them all the time otherwise.  Also, if I add the lines

#Allow tcp everywhere
ip6tables -A INPUT -p tcp -j ACCEPT
ip6tables -I OUTPUT -p tcp -j ACCEPT
ip6tables -I FORWARD -p tcp -j ACCEPT

then the port scan tool shows all the ports that my router is listening on (not a good long term solution).  Can someone point me to some working examples or help me figure out how I open up ports with rules I have now.  I can't seem to find any real good examples.  Thanks!