I have enabled IPv6 w/prefix delegation on my Comcast-connected Arch Linux router; 2 ethernet ports, WAN and LAN. The router splits a Comcast DHCPv6-provided 2601::/64 subnet for use on an internal LAN interface, with LAN systems getting autoconfig addresses from radvd. I have a basic ip6tables which default DROPs on INPUT and FORWARD chains, ACCEPTs all traffic incoming on the LAN interface , and ACCEPTs related/established connections & ICMPv6 messages on INPUT and FORWARD chains. I would like to open a specific port through to allow a listening service on a LAN machine to be world-accessible. I have not found out how to do this on a client-specific basis. I am currently wishing to open port 1234, and am doing so with the following:

Which works, but is sort of a "blanket" allow, whereby any system on the LAN that has a v6 service listening on port 1234 is accessible from the WAN. In an IPv4 scenario, I would set a static internal address for the listening client, and then filter the iptables rule by both port number and destination (static) address for the client. But with IPv6, I can't really do that. The 2601:: addresses provided by Comcast change from time to time, and I don't want to configure ULA addresses on LAN clients because of compatibility problems I've heard with certain OSes (the client is Win7 in this case).

ACCEPTing traffic to a dport of 1234 and a particular destination MAC would do the job, but I haven't found a way to do this with iptables/ip6tables.

Any ideas? Here is the full /etc/iptables/ip6tables.rules (WAN interface is named "external", LAN is "internal"):