I thought it would be fun to get pantz.org up and rolling on IPv6 before the next world IPv6 day. My hosting company Linode offers IPv6 now, and they made it real easy to get it going. I just clicked on a link to turn it in my control panel and then rebooted. The address was assigned by dhcp to the interface on boot. Below is an ifconfig example of a interface running both IPv4 and IPv6 on the same interface.
eth0 Link encap:Ethernet HWaddr ff:ff:de:ad:be:ef
inet addr:74.207.225.175 Bcast:74.207.225.255 Mask:255.255.255.0
inet6 addr: 2600:3c02::f03c:91ff:fe93:9678/64 Scope:Global
inet6 addr: fe80::f03c:91ff:fe93:9678/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
....
Now that we have an native IPv6 IP address we need to test to see if it works. Google has an IPv6 website that you can use to test this. Just use the IPv6 version of ping, and you should see a response if everything is setup correctly. Example: ping6 IPv6.google.com.
Let's get some IPv6 firewalling going. In Linux iptables is what you use for IPv4 as a packet filter. With IPv6 you need to use ip6tables. It's very close to the same so you can use most of your current rules from IPv4. Just an intresting note, as of right now ip6tables does not support NAT. According to the devs it is unlikely it will ever be supported so just keep that in mind.
Below is an example of firewalling with ip6tables. It is a bash script written to be put in the /etc/init.d dir. It responds to the stop,start,restart commands to load the rules. I called my rules ip6tables. Make the file and put it in the /etc/init.d dir. If your running a Debian based system (Ubuntu and such) then you can run chmod 700 /etc/init.d/ip6tables;update-rc.d ip6tables defaults on the file to have it start on boot.
#!/bin/bash
#
# Firewall rules
#
######################################################################
function on {
echo "Firewall: enabling filtering"
# Clear any previous rules.
ip6tables -F
ip6tables -F -t mangle
ip6tables -X
# Default drop policy.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Allow anything over loopback.
ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
# allow link-local
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
# Drop packets with a type 0 routing header
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
# Drop any tcp packet that does not start a connection with a syn flag.
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop any invalid packet that could not be identified.
ip6tables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets.
ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# Reject link-local all nodes multicast group
ip6tables -A INPUT -d ff02::1 -j REJECT
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ICMP In/Out. ICMP has a much more significant and essential role because of
# new functionality that is now performed within IPv6. Allow open for now.
ip6tables -A INPUT -p IPv6-icmp -j ACCEPT
ip6tables -I OUTPUT -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT
# Allow http connections in. Uncomment if needed.
ip6tables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
# Drop everything that did not match above and log it.
ip6tables -A INPUT -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
ip6tables -A OUTPUT -j DROP
}
######################################################################
function off {
# stop firewall
echo "Firewall: disabling filtering (allowing all access)"
ip6tables -F
ip6tables -F -t mangle
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
}
######################################################################
function stop {
# stop all external connections
echo "Firewall: stopping all external connections"
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -P INPUT DROP
ip6tables -P FORWARD REJECT
ip6tables -P OUTPUT REJECT
# allow anything over loopback
ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
}
case "$1" in
start)
on
;;
stop)
off
;;
restart)
off
on
;;
*)
echo "$0 {start|stop|restart|off}"
echo "Start executes primary ruleset."
echo "Stop disables all filtering"
echo "restart clears then enables"
echo "Off disables all non-loopback connections"
;;
esac
I use Nginx for my webserver so I had to change the config to have it listen for IPv6. First check that your Nginx supports IPv6 with the command nginx -V. It should show "--with-ipv6" in the output. After verfiying IPv6 is compiled in we can change the config. I put my IPv6 listen statement in the config and restarted. On restart the following error showed up:
[emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: still could not bind()
I believe this error relates to how a modern version of Linux uses a hybrid dual-stack implementation of IPv4 and IPv6. To fix this I had to put IPv6only=on in the IPv6 line or Nginx would throw that error and not start. The new line tells Nginx to open a port in hybrid sockets mode. The final working line is below. There are other lines in the server {} area I'm just showing the IPv6 and IPv4 line. Restart Nginx after you put the IPv6 line in.
server {
...
listen *:80;
listen [::]:80 default IPv6only=on;
...
}
For every virtual server after setting the default server (like above) you will just need the following listen lines that don't reference the default server or IPv6.
server {
...
listen *:80;
listen [::]:80;
...
}
With IPv6 you have to use an AAAA record (quad A) instead of an A records. The DNS entry is the same but your just using 3 more A's for the new record. Update your DNS server with that record and then test it with dig. An example of that test would look like the following.
> dig @ns1.linode.com www.pantz.org aaaa .... ;; QUESTION SECTION: ;www.pantz.org. IN AAAA ;; ANSWER SECTION: www.pantz.org. 86400 IN AAAA 2600:3c02::f03c:91ff:fe93:9678 ....
After you get your quad A record entry in, people should be able to reach your website through IPv6. If you don't have an IPv6 connection you can check your sites connectivity with http://IPv6-test.com. If that website says it was successful then congrats your up and rolling. Check your webserver logs for access from an IPv6 address, then make sure the resulting code was 200 OK for that access.
