We've recently started experimenting with IPv6, and one of the first issues we're having to contend with is dealing with a completely separate set of firewall (Linux iptables/ip6ables) rules for the two protocol stacks. Our firewall logic is based largely around a number of purpose-specific networks (e.g., 10.0.0.0/24 is the staff workstation network, 10.1.0.0/24 is the database network, 10.2.0.0/24 is the web server network, etc), and the logic for both IPv6 and IPv4 will be largely the same, modulo different network prefixes.
What are people doing do manage this sort of situation? Ideally I would like to be able to generate both iptables and ip6table rulesets from the same source file(s). I have already thrown together something using bash, but it's not necessarily pretty and I suspect that a better solution must exist somewhere out there.
I would be particularly interested in a Puppet-based solution that makes good use of Puppet's own dependency mechanisms to implement relative ordering of rules (or groups of rules).
Firewall Builder has exactly what you need. You can create one rule set, mark it as "combined ipv4+ipv6" and place your ipv4 and ipv6 networks assigned to the same segment (such as "database network" etC) in the same rule. The program then generates two separate iptables configurations one for ipv4 and another for ipv6. This chapter of the Users Guide illustrates this, although it uses Cisco routers access lists as an example. It works exactly the same for iptables.
http://www.fwbuilder.org/4.0/docs/users_guide5/combined-ipv4-ipv6-rule-set.html
I was also recently confronted with creating iptables-rules for both, IPv4 and IPv6. After some searching I ended up using the IPv6 FireHOL branch by Phil Whineray.
Unfortunately the official version lacks support for IPv6. But Phil Whineray has added support in an unoffical branch.
Some examples on how the configuration looks like:
You can checkout this firehol branch at:
Additional documentation can be found at the official FireHOL documentation or at the additional Readme about IPv6.
Personally I probably would be cautious when using it on a production machine where having a 100% reliable firewall is important. But it's worth a look nevertheless.
In the interest of continued evangelism of the cause, I suggest leveraging Puppet to do your lifting. There isn't presently a good script for handling iptables 4 and 6 rules, but it wouldn't be too much of a challenge to write one either once you adjust to the language.
Mediawiki's public git repository is a fantastic mine of configuration patterns and includes an iptables class that will provide a good base to start with. You could edit it to apply rules to both stacks at once by default and have a flags for different rules when you're basing things on IPv4 or IPv6 rules.
The ultimate bonus at the end of this is that the firewall rules for a service can be written into the service definition and automatically deployed and removed when a service is deployed or removed.
Answering my own question here, but I thought this information might be of general interest:
While looking into this question I stumbled across ufw (Uncomplicated FireWall) from the Ubuntu folks. With IPV6 enabled in the ufw configuration, ufw will manage iptables and ip6tables rules in parallel. This means you can do something like this:
And end up with:
Which results in iptables/ip6tables rules that look like this:
Ufw also supports application profiles, which allow you to create named groups of ports. You can do this:
And end up opening both ports 80 and 443 (for both IPv4 and IPv6).
I've only just started looking at it, but it seems to be fairly well put together.
Since it is still missing from the list: Shorewall is a widely-adopted and regularly updated feature-rich packet filter configuration tool. It had IPv6 support for a while now.