12

We've recently started experimenting with IPv6, and one of the first issues we're having to contend with is dealing with a completely separate set of firewall (Linux iptables/ip6ables) rules for the two protocol stacks. Our firewall logic is based largely around a number of purpose-specific networks (e.g., 10.0.0.0/24 is the staff workstation network, 10.1.0.0/24 is the database network, 10.2.0.0/24 is the web server network, etc), and the logic for both IPv6 and IPv4 will be largely the same, modulo different network prefixes.

What are people doing do manage this sort of situation? Ideally I would like to be able to generate both iptables and ip6table rulesets from the same source file(s). I have already thrown together something using bash, but it's not necessarily pretty and I suspect that a better solution must exist somewhere out there.

I would be particularly interested in a Puppet-based solution that makes good use of Puppet's own dependency mechanisms to implement relative ordering of rules (or groups of rules).

larsks
  • 43,623
  • 14
  • 121
  • 180

5 Answers5

5

Firewall Builder has exactly what you need. You can create one rule set, mark it as "combined ipv4+ipv6" and place your ipv4 and ipv6 networks assigned to the same segment (such as "database network" etC) in the same rule. The program then generates two separate iptables configurations one for ipv4 and another for ipv6. This chapter of the Users Guide illustrates this, although it uses Cisco routers access lists as an example. It works exactly the same for iptables.

http://www.fwbuilder.org/4.0/docs/users_guide5/combined-ipv4-ipv6-rule-set.html

vadimk
  • 336
  • 2
  • 3
4

I was also recently confronted with creating iptables-rules for both, IPv4 and IPv6. After some searching I ended up using the IPv6 FireHOL branch by Phil Whineray.

FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions). (Source: FireHOL website)

Unfortunately the official version lacks support for IPv6. But Phil Whineray has added support in an unoffical branch.

Some examples on how the configuration looks like:

# allowing outgoing http and https requests for ipv4 and ipv6 (default setting when nothing is specified):
client "http https" accept

# allow incoming ssh only on ipv4
ipv4 server ssh accept

# allow incoming IMAP requests only for ipv6
ipv6 server imap accept

You can checkout this firehol branch at:

git clone git://repo.or.cz/fireholvi.git

Additional documentation can be found at the official FireHOL documentation or at the additional Readme about IPv6.

Personally I probably would be cautious when using it on a production machine where having a 100% reliable firewall is important. But it's worth a look nevertheless.

bb-generation
  • 163
  • 1
  • 5
3

In the interest of continued evangelism of the cause, I suggest leveraging Puppet to do your lifting. There isn't presently a good script for handling iptables 4 and 6 rules, but it wouldn't be too much of a challenge to write one either once you adjust to the language.

Mediawiki's public git repository is a fantastic mine of configuration patterns and includes an iptables class that will provide a good base to start with. You could edit it to apply rules to both stacks at once by default and have a flags for different rules when you're basing things on IPv4 or IPv6 rules.

The ultimate bonus at the end of this is that the firewall rules for a service can be written into the service definition and automatically deployed and removed when a service is deployed or removed.

Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85
  • I'll take a look. I have been generally unimpressed thus far with the typical Puppet-based solutions for managing iptables. In particular, they all seem to implement ordering explicitly, either through filenames of fragment files or through explicit indexes provided in Puppet rules, rather than using Puppet's dependency resolution mechanisms, which is what I really want. If the solution linked here avoid these problems I'm all for it. – larsks Jan 30 '12 at 17:14
  • @larsks I agree and have been similarly frustrated that a good generic solution hasn't been released... but maybe it's time I just did it myself. Puppet will allow using the `before => Resource['declared_name']` on any definition, so you can order them using an implementation that doesn't try to order things with fragments. A good use of Augueas for structure would also prevent this issue -- make your top tree comments and your ordering below that as you wish. – Jeff Ferland Jan 30 '12 at 17:22
  • My own attempts at solving this haven't gotten very far. What I've done for now is (a) install fragments into a subdirectory and then (b) use [rcorder](http://www.daemon-systems.org/man/rcorder.8.html) to put them into dependency order. It works, but since it's based exclusively on managing fragment files it doesn't lend itself to a mixed ipv4/ipv6 environment. I haven't really looked closely at using Augeas to help solve the problem. I'd be curious if you have any prototype code out there. – larsks Jan 30 '12 at 18:11
2

Answering my own question here, but I thought this information might be of general interest:

While looking into this question I stumbled across ufw (Uncomplicated FireWall) from the Ubuntu folks. With IPV6 enabled in the ufw configuration, ufw will manage iptables and ip6tables rules in parallel. This means you can do something like this:

# ufw allow ssh/tcp

And end up with:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere (v6)

Which results in iptables/ip6tables rules that look like this:

# iptables-save | grep 'dport 22'
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
# ip6tables-save | grep 'dport 22'
-A ufw6-user-input -p tcp -m tcp --dport 22 -j ACCEPT

Ufw also supports application profiles, which allow you to create named groups of ports. You can do this:

# ufw allow 'WWW Full'

And end up opening both ports 80 and 443 (for both IPv4 and IPv6).

I've only just started looking at it, but it seems to be fairly well put together.

larsks
  • 43,623
  • 14
  • 121
  • 180
0

Since it is still missing from the list: Shorewall is a widely-adopted and regularly updated feature-rich packet filter configuration tool. It had IPv6 support for a while now.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • 1
    My understand is that "shorewall" is ipv4 only and "shorewall6" is ipv6 only, anod one must use both in order to cover both protocols. Can they share a common configuration? – larsks Jan 30 '12 at 17:43