diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 7601fd1be43..d0119c56fce 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -268,9 +268,11 @@ in
             # Accept all ICMPv6 messages except redirects and node
             # information queries (type 139).  See RFC 4890, section
             # 4.4.
-            ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP
-            ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP
-            ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept
+            ${optionalString config.networking.enableIPv6 ''
+              ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP
+              ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP
+              ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept
+            ''}
 
             ${cfg.extraCommands}