We've recently started experimenting with IPv6, and one of the first issues we're having to contend with is dealing with a completely separate set of firewall (Linux iptables/ip6ables) rules for the two protocol stacks. Our firewall logic is based largely around a number of purpose-specific networks (e.g., 10.0.0.0/24 is the staff workstation network, 10.1.0.0/24 is the database network, 10.2.0.0/24 is the web server network, etc), and the logic for both IPv6 and IPv4 will be largely the same, modulo different network prefixes.
What are people doing do manage this sort of situation? Ideally I would like to be able to generate both iptables and ip6table rulesets from the same source file(s). I have already thrown together something using bash, but it's not necessarily pretty and I suspect that a better solution must exist somewhere out there.
I would be particularly interested in a Puppet-based solution that makes good use of Puppet's own dependency mechanisms to implement relative ordering of rules (or groups of rules).
Best Answer
Firewall Builder has exactly what you need. You can create one rule set, mark it as "combined ipv4+ipv6" and place your ipv4 and ipv6 networks assigned to the same segment (such as "database network" etC) in the same rule. The program then generates two separate iptables configurations one for ipv4 and another for ipv6. This chapter of the Users Guide illustrates this, although it uses Cisco routers access lists as an example. It works exactly the same for iptables.
http://www.fwbuilder.org/4.0/docs/users_guide5/combined-ipv4-ipv6-rule-set.html