say i want to open a single tcp port 100 to a single host behind an IPv6 router. This router is providing prefix delegation to the internal LAN, and is configuring the hosts via router advertisements; its firewall is configured to DROP all incoming, NEW state traffic. What would be the iptables rule to add that would allow forwarded traffic with destination port 100 TCP to 1 host behind the router? i would think that you would allow FORWARDed traffic coming in from the external interface with a destination port of 100 to a destination link-local address of the machine in question, something like:

but this does not work

The destination address in your rule is wrong. You have to use the globally routable IPv6 address, not the link-local (fe80::/16) address. Link local addresses cannot be routed, and are never valid source or destination addresses in the FORWARD chain.

right, but all the LAN clients are getting DHCPv6-PD global addresses from the router, meaning that the addresses change (with Comcast PD, the prefix changes roughly once every 4 days), meaning that i would have to rewrite this rule every time it changes...

That's obviously a deliberate strategy from Comcast to prevent people from running servers. I mean, heaven forbid you'd use your Internet connection for, well, Internet stuff.

When the local prefix changes, does that mean the external router address changes as well? In any case, it should be possible to have such a change trigger a script which could then modify and reapply the firewall rules.

yeah, i suppose i could just wildcard forward port 100, with no destination address:

but that seems too broad