Managing parallel rules for ipv4 and ipv6 iptables?

Firewall Builder has exactly what you need. You can create one rule set, mark it as "combined ipv4+ipv6" and place your ipv4 and ipv6 networks assigned to the same segment (such as "database network" etC) in the same rule. The program then generates two separate iptables configurations one for ipv4 and another for ipv6. This chapter of the Users Guide illustrates this, although it uses Cisco routers access lists as an example. It works exactly the same for iptables.

http://www.fwbuilder.org/4.0/docs/users_guide5/combined-ipv4-ipv6-rule-set.html


I was also recently confronted with creating iptables-rules for both, IPv4 and IPv6. After some searching I ended up using the IPv6 FireHOL branch by Phil Whineray.

FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions). (Source: FireHOL website)

Unfortunately the official version lacks support for IPv6. But Phil Whineray has added support in an unoffical branch.

Some examples on how the configuration looks like:

# allowing outgoing http and https requests for ipv4 and ipv6 (default setting when nothing is specified):
client "http https" accept

# allow incoming ssh only on ipv4
ipv4 server ssh accept

# allow incoming IMAP requests only for ipv6
ipv6 server imap accept

You can checkout this firehol branch at:

git clone git://repo.or.cz/fireholvi.git

Additional documentation can be found at the official FireHOL documentation or at the additional Readme about IPv6.

Personally I probably would be cautious when using it on a production machine where having a 100% reliable firewall is important. But it's worth a look nevertheless.