diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 44bba7a0f..c5f1bf745 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -16,6 +16,8 @@ ipxtables -t filter -F CLOUDRON # empty any existing rules
 
 # first setup any user IP block lists
 ipset create cloudron_blocklist hash:net || true
+ipset create cloudron_blocklist6 hash:net family inet6 || true
+
 /home/yellowtent/box/src/scripts/setblocklist.sh
 
 iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP
@@ -24,6 +26,11 @@ if ! iptables -t filter -C DOCKER-USER -m set --match-set cloudron_blocklist src
     iptables -t filter -I DOCKER-USER 1 -m set --match-set cloudron_blocklist src -j DROP
 fi
 
+ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist6 src -j DROP
+# there is no DOCKER-USER chain in ip6tables, bug?
+ip6tables -D FORWARD -m set --match-set cloudron_blocklist6 src -j DROP || true
+ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP
+
 # allow related and establisted connections
 ipxtables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
 ipxtables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,80,202,443 -j ACCEPT # 202 is the alternate ssh port
@@ -44,21 +51,30 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
     done
 fi
 
+# LDAP user directory allow list
 ipset create cloudron_ldap_allowlist hash:net || true
 ipset flush cloudron_ldap_allowlist
 
+ipset create cloudron_ldap_allowlist6 hash:net family inet6 || true
+ipset flush cloudron_ldap_allowlist6
+
 ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt"
 if [[ -f "${ldap_allowlist_json}" ]]; then
     # without the -n block, any last line without a new line won't be read it!
     while read -r line || [[ -n "$line" ]]; do
         [[ -z "${line}" ]] && continue # ignore empty lines
         [[ "$line" =~ ^#.*$ ]] && continue # ignore lines starting with #
-        ipset add -! cloudron_ldap_allowlist "${line}" # the -! ignore duplicates
+        if [[ "$line" == *":"* ]]; then
+            ipset add -! cloudron_ldap_allowlist6 "${line}" # the -! ignore duplicates
+        else
+            ipset add -! cloudron_ldap_allowlist "${line}" # the -! ignore duplicates
+        fi
     done < "${ldap_allowlist_json}"
 
     # ldap server we expose 3004 and also redirect from standard ldaps port 636
     ipxtables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
     iptables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist src -p tcp --dport 3004 -j ACCEPT
+    ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist6 src -p tcp --dport 3004 -j ACCEPT
 fi
 
 # turn and stun service
diff --git a/src/scripts/setblocklist.sh b/src/scripts/setblocklist.sh
index 6af931f3a..3d1d1c2e6 100755
--- a/src/scripts/setblocklist.sh
+++ b/src/scripts/setblocklist.sh
@@ -23,6 +23,11 @@ if [[ -f "${user_firewall_json}" ]]; then
     while read -r line || [[ -n "$line" ]]; do
         [[ -z "${line}" ]] && continue # ignore empty lines
         [[ "$line" =~ ^#.*$ ]] && continue # ignore lines starting with #
-        ipset add -! cloudron_blocklist "${line}" # the -! ignore duplicates
+
+        if [[ "$line" == *":"* ]]; then
+            ipset add -! cloudron_blocklist6 "${line}" # the -! ignores duplicates
+        else
+            ipset add -! cloudron_blocklist "${line}" # the -! ignores duplicates
+        fi
     done < "${user_firewall_json}"
 fi