diff --git a/docker/phantun.sh b/docker/phantun.sh
index 59c2f66..1949d23 100755
--- a/docker/phantun.sh
+++ b/docker/phantun.sh
@@ -1,9 +1,5 @@
 #!/bin/sh
 
-#
-# TODO: add ipv6 support
-#
-
 info() {
   local green='\e[0;32m'
   local clear='\e[0m'
@@ -29,18 +25,26 @@ _get_default_iface() {
   ip -4 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
 }
 
+_get_default6_iface() {
+  ip -6 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
+}
+
 _get_addr_by_iface() {
   ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
 }
 
-#_get_peer_by_iface() {
-#  ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $4}' | awk -F '/' '{print $1}' | head -1
-#}
+_get_addr6_by_iface() {
+  ip -6 addr show dev "$1" | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
+}
 
 _check_rule_by_comment() {
   iptables-save | grep -q "$1"
 }
 
+_check_rule6_by_comment() {
+  ip6tables-save | grep -q "$1"
+}
+
 _is_server_mode() {
   [ "$1" = "phantun-server" ]
 }
@@ -67,6 +71,11 @@ _get_peer_from_args() {
   _is_server_mode "$1" && echo ${peer:=192.168.201.2} || echo ${peer:=192.168.200.2}
 }
 
+_get_peer6_from_args() {
+  local peer=$(echo "$@" | awk -F '--tun-peer6' '{print $2}' | awk '{print $1}')
+  _is_server_mode "$1" && echo ${peer:=fcc9::2} || echo ${peer:=fcc8::2}
+}
+
 _get_port_from_args() {
   echo "$@" | awk -F '-l|--local' '{print $2}' | awk '{print $1}'
 }
@@ -81,12 +90,22 @@ _revoke_iptables() {
   local port=$(_get_port_from_args "$@")
   local comment="phantun_${tun}_${port}"
   iptables-save | grep -v "${comment}" | iptables-restore
-  info "remove iptables rule: [${comment}]."
+  info "remove iptables rule: [${comment}]"
+}
+
+_revoke_ip6tables() {
+  ! _is_ipv4_only "$@" || return
+  local tun=$(_get_tun_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+  ip6tables-save | grep -v "${comment}" | ip6tables-restore
+  info "remove ip6tables rule: [${comment}]"
 }
 
 apply_sysctl() {
   info "apply sysctl: $(sysctl -w net.ipv4.ip_forward=1)"
-  _is_ipv4_only "$@" || info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)"
+  ! _is_ipv4_only "$@" || return
+  info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)"
 }
 
 apply_iptables() {
@@ -114,16 +133,45 @@ apply_iptables() {
   fi
 }
 
+apply_ip6tables() {
+  ! _is_ipv4_only "$@" || return
+
+  local interface=$(_get_default6_iface)
+  local address=$(_get_addr6_by_iface "${interface}")
+  local tun=$(_get_tun_from_args "$@")
+  local peer=$(_get_peer6_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  if _check_rule6_by_comment "${comment}"; then
+    warn "ip6tables rule already exist, maybe needs to check."
+  else
+    ip6tables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}"
+    ip6tables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}"
+    if _is_server_mode "$1"; then
+      info "add ip6tables DNAT rule: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
+      ip6tables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
+        -m comment --comment "${comment}" || error "ip6tables DNAT rule add failed."
+    else
+      info "add ip6tables SNAT rule: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
+      ip6tables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
+        -m comment --comment "${comment}" || error "ip6tables SNAT rule add failed."
+    fi
+  fi
+}
+
 graceful_stop() {
   warn "caught SIGTERM or SIGINT signal, graceful stopping..."
   _stop_process
   _revoke_iptables "$@"
+  _revoke_ip6tables "$@"
 }
 
 start_phantun() {
   trap 'graceful_stop "$@"' SIGTERM SIGINT
   apply_sysctl "$@"
   apply_iptables "$@"
+  apply_ip6tables "$@"
   "$@" &
   wait
 }