Is there truth to any of this? I think the biggest hurdle in adoption of IPv6 is awareness.

All of those commands are the firewall, not just the first four. iptables is an interface to the Linux kernel firewall.

Think about what you're saying though. Let's say you have a public IP address of 198.18.23.15 and you have a local client with IP 192.168.1.4.

A UDP datagram with source 192.168.1.4:12000 and destination 8.8.8.8:53 comes into your router. It's translated by NAT to a source of 198.18.23.15:15400.

Now 8.8.8.8:53 responds, and your router receive a datagram on 198.18.23.15:15400. It has no stateful firewall. Where does the datagram go?

The router can't know that datagrams with a destination of 198.18.23.15:15400 should be redirected to 192.168.1.4:12000. It's not stateful, after all.

And what about a datagram/segment for a port that the router has never seen? There's nowhere for it to go, so it'll get dropped, implicitly.

That's what is meant by "NAT implies a stateful firewall that blocks by default". They're building blocks that are necessarily to implement NAT. They're not the same as a properly designed stateful firewall, but they perform a very, very similar function.

/r/ipv6 Thread Parent Link - i.redd.it