IPv6 support

Author: Enver Cicak

README.md

@@ -114,7 +114,7 @@ extend:
 Using iptables.nat
 ==================
 
-You can use nat for interface.
+You can use nat for interface. This is supported for IPv4 alone. IPv6 deployments should not use NAT.
 
 ```yaml
   #Support nat
@@ -126,3 +126,30 @@ You can use nat for interface.
         '192.168.18.0/24':
           - 10.20.0.2
 ```
+
+IPv6 Support
+============
+
+This formula supports IPv6 as long as it is activated with the option:
+
+```
+firewall:
+  ipv6: True
+```
+
+Services and whitelists are supported under the sections `services_ipv6` and `whitelist_ipv6`, as below:
+
+```
+  services_ipv6:
+    ssh:
+      block_nomatch: False
+      ips_allow:
+        - 2a02:2028:773:d01:10a5:f34f:e7ff:f55b/64
+        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
+  whitelist_ipv6:
+    networks:
+      ips_allow:
+        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
+```
+
+These sections are only processed if the ipv6 support is activated.

iptables/init.sls

@@ -5,8 +5,16 @@
 {% from "iptables/map.jinja" import firewall with context %}
 {% set install = firewall.install %}
 {% set strict_mode = firewall.strict %}
+{% set ipv6 = firewall.get('ipv6', False) %}
 {% set global_block_nomatch = firewall.block_nomatch %}
 {% set packages = firewall.pkgs %}
+{% set ipv4 = 'IPv4' %}
+{% set ipv6 = 'IPv6' %}
+{% set protocols = [ipv4] %}
+{% if ipv6 %}
+{%   do protocols.append(ipv6) %}
+{% endif %}
+{% set sufixes = {ipv4: '', ipv6: '_ipv6'} %}
 
 {%- if firewall.enabled %}
     {%- if install %}
@@ -22,51 +30,65 @@
     {%- if strict_mode %}
       # If the firewall is set to strict mode, we'll need to allow some
       # that always need access to anything
-      iptables_allow_localhost:
+      {%- for protocol in protocols %}
+      iptables_allow_localhost{{sufixes[protocol]}}:
         iptables.append:
           - table: filter
           - chain: INPUT
           - jump: ACCEPT
+        {%- if protocol == ipv4 %}
           - source: 127.0.0.1
+        {%- else %}
+          - source: ::1
+          - family: ipv6
+        {%- endif %}
           - save: True
 
       # Allow related/established sessions
-      iptables_allow_established:
+      iptables_allow_established{{sufixes[protocol]}}:
         iptables.append:
           - table: filter
           - chain: INPUT
           - jump: ACCEPT
           - match: conntrack
           - ctstate: 'RELATED,ESTABLISHED'
+        {%- if protocol == ipv6 %}
+          - family: ipv6
+        {%- endif %}
           - save: True
 
       # Set the policy to deny everything unless defined
-      enable_reject_policy:
+      enable_reject_policy{{sufixes[protocol]}}:
         iptables.set_policy:
           - table: filter
           - chain: INPUT
           - policy: DROP
+        {%- if protocol == ipv6 %}
+          - family: ipv6
+        {%- endif %}
           - require:
-            - iptables: iptables_allow_localhost
-            - iptables: iptables_allow_established
+            - iptables: iptables_allow_localhost{{sufixes[protocol]}}
+            - iptables: iptables_allow_established{{sufixes[protocol]}}
+      {%- endfor %}
     {%- endif %}
 
   # Generate ipsets for all services that we have information about
-  {%- for service_name, service_details in firewall.get('services', {}).items() %}
-    {% set block_nomatch = service_details.get('block_nomatch', False) %}
-    {% set interfaces = service_details.get('interfaces','') %}
-    {% set protos = service_details.get('protos',['tcp']) %}
-    {% if service_details.get('comment', False) %}
-      {% set comment = '- comment: ' + service_details.get('comment') %}
-    {% else %}
-      {% set comment = '' %}
-    {% endif %}
+  {%- for protocol in protocols %}
+    {%- for service_name, service_details in firewall.get('services' + sufixes[protocol], {}).items() %}
+      {% set block_nomatch = service_details.get('block_nomatch', False) %}
+      {% set interfaces = service_details.get('interfaces','') %}
+      {% set protos = service_details.get('protos',['tcp']) %}
+      {% if service_details.get('comment', False) %}
+        {% set comment = '- comment: ' + service_details.get('comment') %}
+      {% else %}
+        {% set comment = '' %}
+      {% endif %}
 
-    # Allow rules for ips/subnets
-    {%- for ip in service_details.get('ips_allow', ['0.0.0.0/0']) %}
-      {%- if interfaces == '' %}
-        {%- for proto in protos %}
-      iptables_{{service_name}}_allow_{{ip}}_{{proto}}:
+      # Allow rules for ips/subnets
+      {%- for ip in service_details.get('ips_allow', ['0.0.0.0/0']) %}
+        {%- if interfaces == '' %}
+          {%- for proto in protos %}
+      iptables_{{service_name}}_allow_{{ip}}_{{proto}}{{sufixes[protocol]}}:
         iptables.insert:
           - position: 1
           - table: filter
@@ -75,13 +97,16 @@
           - source: {{ ip }}
           - dport: {{ service_name }}
           - proto: {{ proto }}
+            {%- if protocol == ipv6 %}
+          - family: ipv6
+            {%- endif %}
           - save: True
           {{ comment }}
-        {%- endfor %}
-      {%- else %}
-        {%- for interface in interfaces %}
-          {%- for proto in protos %}
-      iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}:
+          {%- endfor %}
+        {%- else %}
+          {%- for interface in interfaces %}
+            {%- for proto in protos %}
+      iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}{{sufixes[protocol]}}:
         iptables.insert:
           - position: 1
           - table: filter
@@ -91,32 +116,38 @@
           - source: {{ ip }}
           - dport: {{ service_name }}
           - proto: {{ proto }}
+              {%- if protocol == ipv6 %}
+          - family: ipv6
+              {%- endif %}
           - save: True
           {{ comment }}
+            {%- endfor %}
           {%- endfor %}
-        {%- endfor %}
-      {%- endif %}
-    {%- endfor %}
+        {%- endif %}
+      {%- endfor %}
 
-    {%- if not strict_mode and global_block_nomatch or block_nomatch %}
-      # If strict mode is disabled we may want to block anything else
-      {%- if interfaces == '' %}
-        {%- for proto in protos %}
-      iptables_{{service_name}}_deny_other_{{proto}}:
+      {%- if not strict_mode and global_block_nomatch or block_nomatch %}
+        # If strict mode is disabled we may want to block anything else
+        {%- if interfaces == '' %}
+          {%- for proto in protos %}
+      iptables_{{service_name}}_deny_other_{{proto}}{{sufixes[protocol]}}:
         iptables.append:
           - position: last
           - table: filter
           - chain: INPUT
           - jump: REJECT
           - dport: {{ service_name }}
           - proto: {{ proto }}
+            {%- if protocol == ipv6 %}
+          - family: ipv6
+            {%- endif %}
           - save: True
           {{ comment }}
-        {%- endfor %}
-      {%- else %}
-        {%- for interface in interfaces %}
-          {%- for proto in protos %}
-      iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}:
+          {%- endfor %}
+        {%- else %}
+          {%- for interface in interfaces %}
+            {%- for proto in protos %}
+      iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}{{sufixes[protocol]}}:
         iptables.append:
           - position: last
           - table: filter
@@ -125,14 +156,18 @@
           - i: {{ interface }}
           - dport: {{ service_name }}
           - proto: {{ proto }}
+              {%- if protocol == ipv6 %}
+          - family: ipv6
+              {%- endif %}
           - save: True
           {{ comment }}
+            {%- endfor %}
           {%- endfor %}
-        {%- endfor %}
-      {%- endif %}
+        {%- endif %}
 
-    {%- endif %}
+      {%- endif %}
 
+    {%- endfor %}
   {%- endfor %}
 
   # Generate rules for NAT
@@ -153,15 +188,20 @@
   {%- endfor %}
 
   # Generate rules for whitelisting IP classes
-  {%- for service_name, service_details in firewall.get('whitelist', {}).items() %}
-    {%- for ip in service_details.get('ips_allow', []) %}
-      iptables_{{service_name}}_allow_{{ip}}:
-        iptables.append:
-           - table: filter
-           - chain: INPUT
-           - jump: ACCEPT
-           - source: {{ ip }}
-           - save: True
+  {%- for protocol in protocols %}
+    {%- for service_name, service_details in firewall.get('whitelist', {}).items() %}
+      {%- for ip in service_details.get('ips_allow', []) %}
+        iptables_{{service_name}}_allow_{{ip}}{{sufixes[protocol]}}:
+          iptables.append:
+            - table: filter
+            - chain: INPUT
+            - jump: ACCEPT
+            - source: {{ ip }}
+        {%- if protocol == ipv6 %}
+            - family: ipv6
+        {%- endif %}
+            - save: True
+      {%- endfor %}
     {%- endfor %}
   {%- endfor %}
 

pillar.example

@@ -2,6 +2,7 @@ firewall:
   install: True
   enabled: True
   strict: True
+  ipv6: True
   services:
     ssh:
       block_nomatch: True
@@ -22,12 +23,36 @@ firewall:
       interfaces:
         - eth0
 
+  services_ipv6:
+    ssh:
+      block_nomatch: False
+      ips_allow:
+        - 2a02:2028:773:d01:10a5:f34f:e7ff:f55b/64
+        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
+    http:
+      block_nomatch: False
+      protos:
+        - udp
+        - tcp
+    snmp:
+      block_nomatch: False
+      protos:
+        - udp
+        - tcp
+      interfaces:
+        - eth0
+
   whitelist:
     networks:
       ips_allow:
         - 10.0.0.0/8
 
-  #Suppport nat
+  whitelist_ipv6:
+    networks:
+      ips_allow:
+        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
+
+  #Support nat (ipv4 only)
   # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 10.20.0.2 -j MASQUERADE
   # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 172.31.0.2 -j MASQUERADE
   nat: