Every ISP that supports IPv6 should advertise the special gateway IP of 192.88.99.1 (anycast) and will handle it internally as a IPv4 to IPv6 gateway. In this way you should always be routed to the closest (by BGP) IPv6 gateway.
Configure a very basic IPv6 firewall because when you bring up your IPv6 address (tunneled over IPv4) you do not want to be fully exposed.
/etc/network/ip6tables:
*filter
:INPUT ACCEPT [3:273]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:4160]
-A INPUT -s ::/0 -d ::/0 -i lo -j ACCEPT
-A OUTPUT -s ::/0 -d ::/0 -o lo -j ACCEPT
# -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -j LOG
-A INPUT -s ::/0 -d ::/0 -j DROP
COMMIT
This ip6tables-restore script will be called when your IPv6-in-IPv4 tunnel is activated.
If you are running Lenny 5.0 or later, you may want to look at the shorewall6 package to manage your ip6tables rules instead, if you have a kernel older than 2.6.20 stateful inspection is not an option, prepend a rule to allow incoming TCP ports >= 1024. Be careful if you have any TCP services listening that should be blocked (mysql, X-windows)!
-A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
Calculate your IPv6 address (actually 65,535 subnets of 2^64 IP addresses) from your publicly routable IPv4 address.
# printf "2002:%x%02x:%x%02x::1\n" 192 168 0 99
2002:c0a8:063::1
/etc/network/interfaces:
auto tun6to4
iface tun6to4 inet6 v4tunnel
address 2002:c0a8:063::1
netmask 48
gateway ::192.88.99.1
endpoint any
local 192.168.0.99
up /sbin/ip6tables-restore < /etc/network/ip6tables
Check your interfaces, firewall and routing table are correct. Ping6 an IPv6 host:
# /sbin/ifconfig tun6to4
tun6to4 Link encap:IPv6-in-IPv4
inet6 addr: 2002:c0a8:063::1/48 Scope:Global
inet6 addr: ::192.168.0.99/128 Scope:Compat
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:1940 errors:0 dropped:0 overruns:0 frame:0
TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:156784 (153.1 KiB) TX bytes:8556 (8.3 KiB)
# ip6tables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 ::/0 ::/0
ACCEPT icmpv6 ::/0 ::/0
LOG 0 ::/0 ::/0 LOG flags 0 level 4
DROP 0 ::/0 ::/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 ::/0 ::/0
# ip -6 route
::192.88.99.1 dev tun6to4 metric 1024 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
::/96 via :: dev tun6to4 metric 256 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
2002:c0a8:063::/48 dev tun6to4 metric 256 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires 21331396sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun6to4 metric 256 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 expires 21331396sec mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev tun6to4 metric 256 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
default via ::192.88.99.1 dev tun6to4 metric 1024 expires 21331787sec mtu 1480 advmss 1420 hoplimit 4294967295
# ping6 -c 5 ipv6.google.com
PING ipv6.google.com(iy-in-x6a.1e100.net) 56 data bytes
64 bytes from iy-in-x6a.1e100.net: icmp_seq=1 ttl=56 time=118 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=2 ttl=56 time=54.3 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=3 ttl=56 time=54.2 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=4 ttl=56 time=73.4 ms
64 bytes from iy-in-x6a.1e100.net: icmp_seq=5 ttl=56 time=54.5 ms
--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 54.202/70.951/118.086/24.700 ms
====== References ======