initial upload

roles/firewall/templates/rules-v6.d/10_conntrack.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow established connections
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

roles/firewall/templates/rules-v6.d/15_local.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow all traffic from localhost
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT

roles/firewall/templates/rules-v6.d/18_internal.sh.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+{% if datacenter_global_networks is defined %}
+ip6tables -N internal-in
+ip6tables -A INPUT -s fe80::/10 -j internal-in
+ip6tables -A INPUT -s fc00::/7 -j internal-in
+{% for net in datacenter_public_ipv6_networks|default([]) %}
+ip6tables -A INPUT -s {{ net }} -j internal-in
+{% endfor %}
+
+ip6tables -N internal-out
+ip6tables -A internal-out -p tcp -m multiport --dports 53,80,443,3306:3310 -m comment --comment "common-services" -j ACCEPT
+ip6tables -A internal-out -p udp -m multiport --dports 53,123 -m comment --comment "common-services" -j ACCEPT
+ip6tables -A internal-out -p icmpv6 -j ACCEPT
+
+ip6tables -A OUTPUT -d fe80::/10 -j internal-out
+ip6tables -A OUTPUT -d fc00::/7 -j internal-out
+{% for net in datacenter_public_ipv6_networks|default([]) %}
+ip6tables -A OUTPUT -d {{ net }} -j internal-out
+{% endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/20_whitelist.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_whitelist_ipv6 %}
+# Whitelist IPs
+{%   for ip in firewall_whitelist_ipv6 %}
+ip6tables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/50_custom.sh.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ firewall_custom_ipv6_rules }}

roles/firewall/templates/rules-v6.d/85_whitelist.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_late_whitelist_ipv6 %}
+# Whitelist IPs
+{%   for ip in firewall_late_whitelist_ipv6 %}
+ip6tables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/90_allow_outbound.sh.j2

@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+
+{% if firewall_output_default_drop or firewall_output_whitelist_ipv6 %}
+{%   for ip in network_nameservers if ip|ipv6 %}
+{%     if loop.first %}
+# Allow DNS
+{%     endif %}
+ip6tables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
+ip6tables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
+{%   endfor %}
+
+if getent group postfix >/dev/null 2>&1; then
+	# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
+	ip6tables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
+fi
+
+{%   if not firewall_output_learning %}
+# Permit outbound HTTP for user _apt
+ip6tables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
+
+# Permit outbound SSH for normal users
+ip6tables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
+
+# Allow all outbound traffic for the root user
+ip6tables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
+{%   endif %}
+
+{%   for ip in datacenter_all_ipv6_networks|default([]) %}
+ip6tables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
+{%   endfor %}
+
+{%   if firewall_output_whitelist_domains %}
+# Outbound ACL for whitelist
+if [ -r /etc/firewall/outbound_whitelist_ipv6.acl ]; then
+
+	ipset -exist create outbound-whitelist hash:net family inet6 counters comment
+	ipset flush outbound-whitelist
+	grep -v '^#' /etc/firewall/outbound_whitelist_ipv6.acl | while read ip name; do
+		ipset -exist add outbound-whitelist "$ip" comment "$name"
+	done < /etc/firewall/outbound_whitelist_ipv6.acl
+
+#	ip6tables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
+fi
+{%   endif %}
+
+{%   if firewall_output_whitelist_ipv6 %}
+# Outbound ACL for whitelist
+ip6tables -N outbound-whitelist
+{%     for item in firewall_output_whitelist_ipv6 %}
+ip6tables -A OUTPUT -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
+{%     endfor %}
+ip6tables -A OUTPUT -j outbound-whitelist
+{%   endif %}
+
+{%   if firewall_output_learning %}
+
+ipset -exist create outbound-ipv6 hash:ip family inet6 netmask 64 counters
+
+ip6tables -A OUTPUT -p tcp --syn -m set --match-set outbound-ipv6 dst -j ACCEPT
+ip6tables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
+
+ip6tables -A OUTPUT -p tcp --syn -j SET --add-set outbound-ipv6 dst
+ip6tables -A OUTPUT -p udp -j SET --add-set outbound-ipv6 dst
+
+ip6tables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
+
+{%   endif %}
+
+{% endif %}

roles/firewall/templates/rules-v6.d/90_drop_all.sh.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+{% if firewall_input_default_drop %}
+# Allow ICMP
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+
+# Drop everything else
+ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
+ip6tables -A INPUT -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} INPUT DROP: " --log-level 5
+ip6tables -A INPUT -j DROP
+{% endif %}
+
+{% if firewall_output_default_drop %}
+# Allow ICMP
+ip6tables -A OUTPUT -p icmpv6 ! --icmpv6-type echo-request -j ACCEPT
+
+# Drop everything else
+ip6tables -A OUTPUT -p tcp --syn -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+ip6tables -A OUTPUT ! -p tcp -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+ip6tables -A OUTPUT -j REJECT
+{% endif %}