diff --git a/modules/rhizo_base/files/rc.local b/modules/rhizo_base/files/rc.local
index aa39618..326fc4e 100644
--- a/modules/rhizo_base/files/rc.local
+++ b/modules/rhizo_base/files/rc.local
@@ -2,6 +2,4 @@
 
 /home/rhizomatica/bin/get_ip.sh
 
-sysctl net.ipv6.conf.all.disable_ipv6=1
-
 exit 0 
diff --git a/modules/rhizo_base/manifests/init.pp b/modules/rhizo_base/manifests/init.pp
index 33dcbb0..08f4dc1 100644
--- a/modules/rhizo_base/manifests/init.pp
+++ b/modules/rhizo_base/manifests/init.pp
@@ -70,6 +70,8 @@ class rhizo_base {
   $jb_bts = hiera('rhizo::jb_bts', '100')
 
   # IP address
+  $has_ip6         = hiera('rhizo::has_ip6', '')
+  $ip6_trusted     = hiera('rhizo::ip6_trusted', '::1/128')
   $mncc_ip_address = hiera('rhizo::mncc_ip_address', '172.16.0.1')
   $bsc_ip_address  = hiera('rhizo::bsc_ip_address', '172.16.0.1')
   $vpn_ip_address  = hiera('rhizo::vpn_ip_address')
@@ -737,4 +739,27 @@ schedule { 'never':
       type   => 'ssh-rsa',
   }
 
+  if $has_ip6 == "1" {
+    file { '/etc/network/ip6t-default':
+          ensure  => 'present',
+          content => template('rhizo_base/ip6tables.erb'),
+          notify  => Exec['ip6t-reset'],
+    }
+    file { '/etc/sysctl.d/10-ipv6.conf':
+          ensure => 'absent'
+    }
+    exec { 'ip6-activate':
+        command => '/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0'
+    }
+  } else {
+    file { '/etc/sysctl.d/10-ipv6.conf':
+          content => "net.ipv6.conf.all.disable_ipv6=1\n"
+    }
+  }
+
+  exec { 'ip6t-reset':
+        refreshonly => true,
+        command     => '/sbin/ip6tables-restore < /etc/network/ip6t-default'
+  }
+
 }
diff --git a/modules/rhizo_base/templates/ip6tables.erb b/modules/rhizo_base/templates/ip6tables.erb
new file mode 100644
index 0000000..6b72a22
--- /dev/null
+++ b/modules/rhizo_base/templates/ip6tables.erb
@@ -0,0 +1,29 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ip6_pass - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j ip6_pass
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 655 -j ACCEPT
+-A INPUT -p udp -m udp --dport 655 -j ACCEPT
+#-A INPUT -p tcp -m tcp -s <%= @ip6_trusted %> --dport 22 -j ACCEPT
+-A ip6_pass -s <%= @ip6_trusted %> -j ACCEPT
+COMMIT