From a8f45005670ae278ae8f5af9e1136aa85cfa9911 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Mon, 25 May 2015 18:16:58 +0300
Subject: [PATCH] Add IPv6 support to firewall tasks / template

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/common/tasks/iptables_Debian.yml |  5 +++++
 roles/common/templates/ip6tables.j2    | 22 ++++++++++++++++++++++
 vars/ipsets.yml                        |  2 +-
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 roles/common/templates/ip6tables.j2

diff --git a/roles/common/tasks/iptables_Debian.yml b/roles/common/tasks/iptables_Debian.yml
index 186bf67..e3aaa14 100644
--- a/roles/common/tasks/iptables_Debian.yml
+++ b/roles/common/tasks/iptables_Debian.yml
@@ -6,3 +6,8 @@
   template: src=iptables.j2 dest=/etc/iptables/rules.v4 owner=root mode=0600
   notify:
     - restart iptables-persistent
+
+- name: Copy /etc/iptables/rules.v6
+  template: src=ip6tables.j2 dest=/etc/iptables/rules.v6 owner=root group=root mode=0600
+  notify:
+    - restart iptables-persistent
diff --git a/roles/common/templates/ip6tables.j2 b/roles/common/templates/ip6tables.j2
new file mode 100644
index 0000000..16db6b8
--- /dev/null
+++ b/roles/common/templates/ip6tables.j2
@@ -0,0 +1,22 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s ::/0  -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -s ::/0 -j ACCEPT
+
+{% if extra_iptables_rules is defined %}
+{% for rule in extra_iptables_rules %}
+{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+-A INPUT -p {{ rule.protocol }} -m state --state NEW -m {{ rule.protocol }} --dport {{ rule.port }} -s {{ ghetto_ipsets[rule.acl].ipv6src }} -j ACCEPT
+{% endif %}
+{% endfor %}
+{% endif %}
+
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
diff --git a/vars/ipsets.yml b/vars/ipsets.yml
index 4334999..dd960f2 100644
--- a/vars/ipsets.yml
+++ b/vars/ipsets.yml
@@ -1,6 +1,6 @@
 ---
 
 ghetto_ipsets:
-  public: { src: '0.0.0.0/0' }
+  public: { src: '0.0.0.0/0', ipv6src: '::/0' }
 
 # vim: set ts=2 sw=2: