From ab6a5470e1de256fce2e07882133b231be8c3db3 Mon Sep 17 00:00:00 2001
From: Maxim Therrien <maxim@mtsd.ca>
Date: Mon, 13 Jan 2025 12:27:23 -0500
Subject: [PATCH] Configure iptables for IPv6

---
 includes.container/etc/iptables/rules.v6          | 15 +++++++++++++++
 .../usr/systemd/system/ip6tables.service          | 15 +++++++++++++++
 modules/91-iptables.yml                           |  4 ++++
 3 files changed, 34 insertions(+)
 create mode 100644 includes.container/etc/iptables/rules.v6
 create mode 100644 includes.container/usr/systemd/system/ip6tables.service

diff --git a/includes.container/etc/iptables/rules.v6 b/includes.container/etc/iptables/rules.v6
new file mode 100644
index 0000000..30add59
--- /dev/null
+++ b/includes.container/etc/iptables/rules.v6
@@ -0,0 +1,15 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Allow loopback
+-A INPUT -i lo -j ACCEPT
+
+# Allow SSH (Port 22)
+# -A INPUT -p tcp --dport 22 -j ACCEPT
+
+# Allow enstabilished and related connections
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+COMMIT
diff --git a/includes.container/usr/systemd/system/ip6tables.service b/includes.container/usr/systemd/system/ip6tables.service
new file mode 100644
index 0000000..0e48009
--- /dev/null
+++ b/includes.container/usr/systemd/system/ip6tables.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=ip6tables firewall rules
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecReload=/sbin/ip6tables-restore /etc/iptables/rules.v6
+ExecStop=/sbin/ip6tables-save > /etc/iptables/rules.v6
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/91-iptables.yml b/modules/91-iptables.yml
index a435c6f..ccfafd1 100644
--- a/modules/91-iptables.yml
+++ b/modules/91-iptables.yml
@@ -8,3 +8,7 @@ modules:
     type: shell
     commands:
       - ln -s /usr/lib/systemd/system/iptables.service /etc/systemd/system/multi-user.target.wants/iptables.service
+  - name: enable-ip6tables-systemd-unit
+    type: shell
+    commands:
+      - ln -s /usr/lib/systemd/system/ip6tables.service /etc/systemd/system/multi-user.target.wants/ip6tables.service