From cb18e8c3a29839668a33add9d8aea9ffccd6a401 Mon Sep 17 00:00:00 2001
From: Jeff Geerling <geerlingguy@mac.com>
Date: Fri, 9 Dec 2016 09:27:32 -0600
Subject: [PATCH] PR #21 follow-up: Add firewall_ip6_additional_rules variable.

---
 README.md                  |  5 +--
 defaults/main.yml          |  1 +
 templates/firewall.bash.j2 | 68 +++++++++++++++++++-------------------
 3 files changed, 38 insertions(+), 36 deletions(-)

diff --git a/README.md b/README.md
index 71da69c..80c86b5 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall)
 
-Installs a simple iptables-based firewall for RHEL/CentOS or Debian/Ubunty systems.
+Installs a simple iptables-based firewall for RHEL/CentOS or Debian/Ubuntu systems. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).
 
 This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.
 
@@ -32,8 +32,9 @@ A list of TCP or UDP ports (respectively) to open to incoming traffic.
 Forward `src` port to `dest` port, either TCP or UDP (respectively).
 
     firewall_additional_rules: []
+    firewall_ip6_additional_rules: []
 
-Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`). A few examples of how this could be used:
+Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:
 
     # Allow only the IP 167.89.89.18 to access port 4949 (Munin).
     firewall_additional_rules:
diff --git a/defaults/main.yml b/defaults/main.yml
index e208458..103dacd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,4 +8,5 @@ firewall_allowed_udp_ports: []
 firewall_forwarded_tcp_ports: []
 firewall_forwarded_udp_ports: []
 firewall_additional_rules: []
+firewall_ip6_additional_rules: []
 firewall_log_dropped_packets: true
diff --git a/templates/firewall.bash.j2 b/templates/firewall.bash.j2
index ea96acf..df9021e 100755
--- a/templates/firewall.bash.j2
+++ b/templates/firewall.bash.j2
@@ -88,49 +88,49 @@ iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "
 iptables -A INPUT -j DROP
 
 
-### IPv6 support
+# Configure IPv6 if ip6tables is present.
 if [ -x $(which ip6tables) ]; then
 
-	# Remove all rules and chains.
-	ip6tables -F
-	ip6tables -X
+  # Remove all rules and chains.
+  ip6tables -F
+  ip6tables -X
 
-	# Accept traffic from loopback interface (localhost).
-	ip6tables -A INPUT -i lo -j ACCEPT
+  # Accept traffic from loopback interface (localhost).
+  ip6tables -A INPUT -i lo -j ACCEPT
 
-	# Open ports.
-	{# Add a rule for each open port #}
-	{% for port in firewall_allowed_tcp_ports %}
-	ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-	{% endfor %}
-	{% for port in firewall_allowed_udp_ports %}
-	ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-	{% endfor %}
+  # Open ports.
+  {# Add a rule for each open port #}
+  {% for port in firewall_allowed_tcp_ports %}
+  ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+  {% endfor %}
+  {% for port in firewall_allowed_udp_ports %}
+  ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+  {% endfor %}
 
-	# Accept icmp ping requests.
-	ip6tables -A INPUT -p icmp -j ACCEPT
+  # Accept icmp ping requests.
+  ip6tables -A INPUT -p icmp -j ACCEPT
 
-	# Allow NTP traffic for time synchronization.
-	ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
-	ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
+  # Allow NTP traffic for time synchronization.
+  ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
+  ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
 
-	# Additional custom rules.
-	{% for rule in firewall_additional_rules %}
-	{{ rule }}
-	{% endfor %}
+  # Additional custom rules.
+  {% for rule in firewall_ip6_additional_rules %}
+  {{ rule }}
+  {% endfor %}
 
-	# Allow established connections:
-	ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+  # Allow established connections:
+  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-	# Log EVERYTHING (ONLY for Debug).
-	# ip6tables -A INPUT -j LOG
+  # Log EVERYTHING (ONLY for Debug).
+  # ip6tables -A INPUT -j LOG
 
-	{% if firewall_log_dropped_packets %}
-	# Log other incoming requests (all of which are dropped) at 15/minute max.
-	ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
-	{% endif %}
+  {% if firewall_log_dropped_packets %}
+  # Log other incoming requests (all of which are dropped) at 15/minute max.
+  ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
+  {% endif %}
 
-	# Drop all other traffic.
-	ip6tables -A INPUT -j DROP
+  # Drop all other traffic.
+  ip6tables -A INPUT -j DROP
 
-fi
\ No newline at end of file
+fi