IPv6 support
rmoriz opened this issue · comments
Hi,
looks like this cookbook and the included rebuild-iptables
script does not work with IPv6, e.g. does not call ip6tables-restore
etc.
A simple solution would be:
Prefix all IPv4 rules with "-4", e.g.
-4 -A FWR -p udp --source 10.0.0.1/32 --dport 5432 -j ACCEPT
Prefix all IPv6 rules with "-6", e.g.
-6 -A FWR -p udp --source 2a03::1234/64 --dport 5432 -j ACCEPT
Debian:
Modify https://github.com/opscode-cookbooks/iptables/blob/master/templates/default/rebuild-iptables.erb#L63 to feed the result to both /sbin/iptables-restore
and /sbin/ip6tables-restore
.
RHEL:
Modify https://github.com/opscode-cookbooks/iptables/blob/master/templates/default/rebuild-iptables.erb#L55 to write all records both to /etc/sysconfig/ip6tables
and /etc/sysconfig/iptables
.
(not sure about restarting service)
However, this will break all existing rules that don't have "-4" or "-6" in it. An automatically default prefixing with "-4" might break existing rules that don't have an IP address in it for IPv6.
I too would like IPv6 support, but I dont like the idea of calling iptables_rule
and not knowing if that rule is for v4 or v6. How about adding a new LWRP ip6tables_rule that puts the fragments in /etc/ip6tables.d/ then also creating a rebuild-ip6tables ? Its a little more duplicative, but much more explicit and allows me to have completely different rule sets for both. As a side effect, if a given rule uses the same syntax for both v4 and v6, you could use the same template for both LWRP calls. Example:
ssh.erb:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
In recipe:
iptables_rule 'ssh' do
action :enable
end
ip6tables_rule 'ssh' do
action :enable
end
I've abandoned this approach in favour of the firewalld-cookbook, see also sjsadowski/firewalld-cookbook#10.
I think dealing with custom "snippets management" and shellscripts just to build a iptables setup is amateurish and will break anytime. firewalld
works on all distros and has a sane interface. Other, future-positive frameworks also support it, e.g. http://docs.ansible.com/firewalld_module.html
SHIPPED!