Prepare for internal IPv6 support

profile/manifests/base/firewall.pp

@@ -12,7 +12,7 @@ class profile::base::firewall (
     purge => $purge,
   }
 
-  # Default rules
+  # Default rules IPv4
   firewall { '000 accept all icmp':
     proto  => 'icmp',
     action => 'accept',
@@ -33,4 +33,30 @@ class profile::base::firewall (
     state  => ['RELATED', 'ESTABLISHED'],
     action => 'accept',
   }
+
+  # Default rules IPv6
+  firewall { '000 accept all icmp v6':
+    proto    => 'icmp',
+    action   => 'accept',
+    provider => 'ip6tables',
+  }
+  -> firewall { '001 accept all to lo interface v6':
+    proto    => 'all',
+    iniface  => 'lo',
+    action   => 'accept',
+    provider => 'ip6tables',
+  }
+  -> firewall { '002 reject local traffic not on loopback interface v6':
+    iniface     => '! lo',
+    proto       => 'all',
+    destination => '::1/128',
+    action      => 'reject',
+    provider    => 'ip6tables',
+  }
+  -> firewall { '003 accept related established rules v6':
+    proto    => 'all',
+    state    => ['RELATED', 'ESTABLISHED'],
+    action   => 'accept',
+    provider => 'ip6tables',
+  }
 }

profile/manifests/lydia/outbound_mail_firewall.pp

@@ -3,48 +3,39 @@
 # Configure firewall rules to prevent abuse of outbound mail
 #
 
-class profile::lydia::outbound_mail_firewall(
+class profile::lydia::outbound_mail_firewall (
   Array  $dports   = [25, 465, 587],
   String $localnet = '10.0.1.0/24',
 ) {
   include firewall
 
-  firewall { '010 Accept from self':
-    chain       => 'OUTPUT',
-    action      => 'accept',
-    proto       => 'tcp',
-    dport       => $dports,
-    destination => $localnet,
-  }
-
-  firewall { '011 Accept over loopback':
-    chain    => 'OUTPUT',
-    action   => 'accept',
-    proto    => 'tcp',
-    dport    => $dports,
-    outiface => 'lo',
-  }
-
-  firewall { '012 Accept for postfix':
-    chain  => 'OUTPUT',
-    action => 'accept',
-    proto  => 'tcp',
-    dport  => $dports,
-    gid    => 115,
-  }
-
-  firewall { '013 Accept for power-users':
-    chain  => 'OUTPUT',
-    action => 'accept',
-    proto  => 'tcp',
-    dport  => $dports,
-    gid    => 1420,
-  }
-
-  firewall { '020 Drop for everything else':
-    chain  => 'OUTPUT',
-    action => 'drop',
-    proto  => 'tcp',
-    dport  => $dports,
+  firewall {
+    default:
+      chain  => 'OUTPUT',
+      action => 'accept',
+      proto  => 'tcp',
+      dport  => $dports;
+    '010 Accept from self':
+      destination => $localnet;
+    '011 Accept over loopback':
+      outiface => 'lo';
+    '011 Accept over loopback v6':
+      outiface => 'lo',
+      provider => 'ip6tables';
+    '012 Accept for postfix':
+      gid => 115;
+    '012 Accept for postfix v6':
+      gid      => 115,
+      provider => 'ip6tables';
+    '013 Accept for power-users':
+      gid => 1420;
+    '013 Accept for power-users v6':
+      gid      => 1420,
+      provider => 'ip6tables';
+    '020 Drop for everything else':
+      action => 'drop';
+    '020 Drop for everything else v6':
+      action => 'drop',
+      provider => 'ip6tables';
   }
 }

profile/manifests/radvdserver.pp

+# Class: profile::radvdserver
+#
+#
+
+class profile::radvdserver (
+  String $interface = 'eth0'
+) {
+  # Install package
+  package { 'radvd':
+    ensure => installed,
+  }
+
+  # Make sure DHCP daemon is running
+  service { 'radvd':
+    ensure     => running,
+    enable     => true,
+    hasrestart => true,
+    hasstatus  => true,
+    require    => Package['radvd'],
+  }
+
+  # Manage config
+  file { '/etc/radvd.conf':
+    ensure  => file,
+    content => template('profile/radvd.conf.erb'),
+    notify  => Service['radvd'],
+  }
+}

profile/manifests/router.pp

@@ -2,12 +2,12 @@
 #
 
 class profile::router (
-  String $lan       = 'eth0',
-  String $wan       = 'eth1',
-  Array  $rslv_ips  = ['9.9.9.9', '208.67.222.222', '208.67.220.220'],
-  Array  $rslv_dom  = ['insomnia247.nl'],
-  Hash   $forwards  = {},
-  Array  $tr_blocks = [],
+  String  $lan       = 'eth0',
+  String  $wan       = 'eth1',
+  Array   $rslv_ips  = ['9.9.9.9', '208.67.222.222', '208.67.220.220'],
+  Array   $rslv_dom  = ['insomnia247.nl'],
+  Hash    $forwards  = {},
+  Array   $tr_blocks = [],
 ){
   include profile::base::packages
   include profile::base::snmpclient
@@ -25,34 +25,48 @@ class profile::router (
       value => '1';
     'net.netfilter.nf_conntrack_generic_timeout':
       value => '120';
+    'net.ipv6.conf.all.forwarding':
+      value => '1';
   }
 
   # NAT for wan
-  firewall { '100 nat to wan':
-    chain    => 'POSTROUTING',
-    jump     => 'MASQUERADE',
-    proto    => 'all',
-    outiface => $wan,
-    table    => 'nat',
+  firewall {
+    default:
+      chain    => 'POSTROUTING',
+      jump     => 'MASQUERADE',
+      proto    => 'all',
+      outiface => $wan,
+      table    => 'nat';
+    '100 nat to wan':;
+    '100 nat to wan v6':
+      provider => 'ip6tables';
   }
 
   # forward packets along established/related connections
   # -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-  firewall { '101 forward related and established':
-    chain   => 'FORWARD',
-    ctstate => ['RELATED', 'ESTABLISHED'],
-    proto   => 'all',
-    action  => 'accept',
+  firewall {
+    default:
+      chain   => 'FORWARD',
+      ctstate => ['RELATED', 'ESTABLISHED'],
+      proto   => 'all',
+      action  => 'accept';
+    '101 forward related and established':;
+    '101 forward related and established v6':
+      provider => 'ip6tables';
   }
 
   # forward from LAN (p1p1) to WAN (p4p1)
   # -A FORWARD -i p1p1 -o p4p1 -j ACCEPT
-  -> firewall { '102 forward from LAN to WAN':
-    chain    => 'FORWARD',
-    proto    => 'all',
-    iniface  => $lan,
-    outiface => $wan,
-    action   => 'accept',
+  -> firewall {
+    default:
+      chain    => 'FORWARD',
+      proto    => 'all',
+      iniface  => $lan,
+      outiface => $wan,
+      action   => 'accept';
+    '102 forward from LAN to WAN':;
+    '102 forward from LAN to WAN v6':
+      provider => 'ip6tables';
   }
 
   # Port forwarding rules

profile/templates/radvd.conf.erb

+interface <%= @interface %>
+{
+  AdvSendAdvert on;
+  prefix fd5d:12c9:4201:1::1/64 {
+    AdvOnLink on;
+    AdvAutonomous on;
+  };
+  #Send DNS Server setting
+  RDNSS fd5d:12c9:4201:1::1{
+  };
+};

role/manifests/router.pp

@@ -5,5 +5,6 @@ class role::router inherits role::base {
   include profile::base::firewall
   include profile::dhcpserver
   include profile::dnsserver
+  include profile::radvdserver
   include profile::router
 }