Giters

chef-cookbooks / iptables

Development repository for Chef Cookbook iptables

Home Page:https://supermarket.chef.io/cookbooks/iptables

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

IPv6 support

rmoriz opened this issue · comments

commented

Hi,

looks like this cookbook and the included rebuild-iptables script does not work with IPv6, e.g. does not call ip6tables-restoreetc.

A simple solution would be:

Prefix all IPv4 rules with "-4", e.g.
-4 -A FWR -p udp --source 10.0.0.1/32 --dport 5432 -j ACCEPT

Prefix all IPv6 rules with "-6", e.g.
-6 -A FWR -p udp --source 2a03::1234/64 --dport 5432 -j ACCEPT

Debian:
Modify https://github.com/opscode-cookbooks/iptables/blob/master/templates/default/rebuild-iptables.erb#L63 to feed the result to both /sbin/iptables-restoreand /sbin/ip6tables-restore.

RHEL:
Modify https://github.com/opscode-cookbooks/iptables/blob/master/templates/default/rebuild-iptables.erb#L55 to write all records both to /etc/sysconfig/ip6tables and /etc/sysconfig/iptables.

(not sure about restarting service)

However, this will break all existing rules that don't have "-4" or "-6" in it. An automatically default prefixing with "-4" might break existing rules that don't have an IP address in it for IPv6.

commented

I too would like IPv6 support, but I dont like the idea of calling iptables_rule and not knowing if that rule is for v4 or v6. How about adding a new LWRP ip6tables_rule that puts the fragments in /etc/ip6tables.d/ then also creating a rebuild-ip6tables ? Its a little more duplicative, but much more explicit and allows me to have completely different rule sets for both. As a side effect, if a given rule uses the same syntax for both v4 and v6, you could use the same template for both LWRP calls. Example:

ssh.erb:

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

In recipe:

iptables_rule 'ssh' do
  action :enable
end

ip6tables_rule 'ssh' do
  action :enable
end
commented

I've abandoned this approach in favour of the firewalld-cookbook, see also sjsadowski/firewalld-cookbook#10.

I think dealing with custom "snippets management" and shellscripts just to build a iptables setup is amateurish and will break anytime. firewalld works on all distros and has a sane interface. Other, future-positive frameworks also support it, e.g. http://docs.ansible.com/firewalld_module.html

commented

SHIPPED!