Mr Zesty's BrainDump

User Tools

Site Tools

Trace: IPv6 on Debian
ipv6ondebian

IPv6 on Debian

If you have a static public IP, you already have an IPv6 address as part of the reserved network starting with 2002:

(If you do not have a static publicly routable IPv4 IP on your Debian/Ubuntu box, you should instead look at a tunnel broker like <uri strref=“http://sixxs.net”/> using AICCU). <p>Every ISP that supports IPv6 should advertise the special gateway IP of 192.88.99.1 (anycast) and will handle it internally as a IPv4 to IPv6 gateway. In this way you should always be routed to the closest (by BGP) IPv6 gateway.</p><p>Configure a very basic IPv6 firewall because when you bring up your IPv6 address (tunneled over IPv4) you do not want to be fully exposed.</p><p><strong>/etc/network/ip6tables</strong>:</p> 

*filter
:INPUT ACCEPT [3:273]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:4160]
-A INPUT -s ::/0 -d ::/0 -i lo -j ACCEPT 
-A OUTPUT -s ::/0 -d ::/0 -o lo -j ACCEPT
# -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT 
-A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT 
-A INPUT -s ::/0 -d ::/0 -j LOG
-A INPUT -s ::/0 -d ::/0 -j DROP 
COMMIT

This ip6tables-restore script will be called when your IPv6-in-IPv4 tunnel is activated.

If you are running Lenny 5.0 or later, you may want to look at the shorewall6 package to manage your ip6tables rules instead, if you have a kernel older than 2.6.20 stateful inspection is not an option, prepend a rule to allow incoming TCP ports &gt;= 1024. Be careful if you have any TCP services listening that should be blocked (mysql, X-windows)! 

-A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT

Calculate your IPv6 address (actually 65,535 subnets of 2^64 IP addresses) from your publicly routable IPv4 address. 

# printf &quot;2002:%x%02x:%x%02x::1\n&quot; 192 168 0 99
2002:c0a8:063::1

<strong>/etc/network/interfaces</strong>: 

auto tun6to4
iface tun6to4 inet6 v4tunnel
        address 2002:c0a8:063::1
        netmask 48
        gateway ::192.88.99.1
        endpoint any
        local 192.168.0.99
        up /sbin/ip6tables-restore &lt; /etc/network/ip6tables

Check your interfaces, firewall and routing table are correct. Ping6 an IPv6 host: 

# /sbin/ifconfig tun6to4
tun6to4   Link encap:IPv6-in-IPv4  
          inet6 addr: 2002:c0a8:063::1/48 Scope:Global
          inet6 addr: ::192.168.0.99/128 Scope:Compat
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:1940 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:156784 (153.1 KiB)  TX bytes:8556 (8.3 KiB)

# ip6tables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0        ::/0                 ::/0               
ACCEPT     icmpv6    ::/0                 ::/0               
LOG        0        ::/0                 ::/0               LOG flags 0 level 4 
DROP       0        ::/0                 ::/0               

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0        ::/0                 ::/0

# ip -6 route
::192.88.99.1 dev tun6to4  metric 1024  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
::/96 via :: dev tun6to4  metric 256  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
2002:c0a8:063::/48 dev tun6to4  metric 256  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 21331396sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun6to4  metric 256  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
ff00::/8 dev eth0  metric 256  expires 21331396sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev tun6to4  metric 256  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
default via ::192.88.99.1 dev tun6to4  metric 1024  expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295

# ping6 -c 5 ipv6.google.com
PING ipv6.google.com(iy-in-x6a.1e100.net) 56 data bytes
64 bytes from iy-in-x6a.1e100.net: icmp_seq=1 ttl=56 time=118 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=2 ttl=56 time=54.3 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=3 ttl=56 time=54.2 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=4 ttl=56 time=73.4 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=5 ttl=56 time=54.5 ms

--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 54.202/70.951/118.086/24.700 ms

References

<uri strref=“http://www.twibble.org/Articles/IPv6/6to4”/>

<uri strref=“http://wiki.debian.org/DebianIPv6”/> <p><uri strref=“http://www.shorewall.net/6to4.htm#id2672474”/></p><p><uri strref=“http://www.sixxs.net/wiki/IPv6_Firewalling”/></p>

ipv6ondebian.txt · Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter