pantz.org banner
pantz.org is now IPv6
Posted on 02-12-2012 23:02:08 UTC | Updated on 02-12-2012 23:23:44 UTC
Section: /software/tcpip/ | Permanent Link

Getting IPv6 connected

I thought it would be fun to get pantz.org up and rolling on IPv6 before the next world IPv6 day. My hosting company Linode offers IPv6 now, and they made it real easy to get it going. I just clicked on a link to turn it in my control panel and then rebooted. The address was assigned by dhcp to the interface on boot. Below is an ifconfig example of a interface running both IPv4 and IPv6 on the same interface.

eth0      Link encap:Ethernet  HWaddr ff:ff:de:ad:be:ef  
          inet addr:74.207.225.175  Bcast:74.207.225.255  Mask:255.255.255.0
          inet6 addr: 2600:3c02::f03c:91ff:fe93:9678/64 Scope:Global
          inet6 addr: fe80::f03c:91ff:fe93:9678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          ....

Now that we have an native IPv6 IP address we need to test to see if it works. Google has an IPv6 website that you can use to test this. Just use the IPv6 version of ping, and you should see a response if everything is setup correctly. Example: ping6 IPv6.google.com.

IPv6 firewall

Let's get some IPv6 firewalling going. In Linux iptables is what you use for IPv4 as a packet filter. With IPv6 you need to use ip6tables. It's very close to the same so you can use most of your current rules from IPv4. Just an intresting note, as of right now ip6tables does not support NAT. According to the devs it is unlikely it will ever be supported so just keep that in mind.

Below is an example of firewalling with ip6tables. It is a bash script written to be put in the /etc/init.d dir. It responds to the stop,start,restart commands to load the rules. I called my rules ip6tables. Make the file and put it in the /etc/init.d dir. If your running a Debian based system (Ubuntu and such) then you can run chmod 700 /etc/init.d/ip6tables;update-rc.d ip6tables defaults on the file to have it start on boot.

#!/bin/bash
#
# Firewall rules
# 

######################################################################
function on {
    echo "Firewall: enabling filtering"
       	
    # Clear any previous rules.
    ip6tables -F
    ip6tables -F -t mangle
    ip6tables -X
    # Default drop policy.
    ip6tables -P INPUT DROP
    ip6tables -P OUTPUT DROP
    ip6tables -P FORWARD DROP

    # Allow anything over loopback.
    ip6tables -A INPUT  -i lo -s ::1/128 -j ACCEPT
    ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT

    # allow link-local
    ip6tables -A INPUT -s fe80::/10 -j ACCEPT

    # Drop packets with a type 0 routing header
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

    # Drop any tcp packet that does not start a connection with a syn flag.
    ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop any invalid packet that could not be identified.
    ip6tables -A INPUT -m state --state INVALID -j DROP

    # Drop invalid packets.
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

    # Reject link-local all nodes multicast group 
    ip6tables -A INPUT -d ff02::1 -j REJECT

    # Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
    ip6tables -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
    ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    ip6tables -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
    ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow ICMP In/Out. ICMP has a much more significant and essential role because of
    # new functionality that is now performed within IPv6. Allow open for now.
    ip6tables -A INPUT   -p IPv6-icmp -j ACCEPT
    ip6tables -I OUTPUT  -p IPv6-icmp -j ACCEPT
    ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

    # Allow http connections in. Uncomment if needed.
    ip6tables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

    # Drop everything that did not match above and log it.
    ip6tables -A INPUT   -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
    ip6tables -A INPUT   -j DROP
    ip6tables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
    ip6tables -A FORWARD -j DROP
    ip6tables -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
    ip6tables -A OUTPUT  -j DROP

}
######################################################################
function off {
    # stop firewall
    echo "Firewall: disabling filtering (allowing all access)"
    ip6tables -F
    ip6tables -F -t mangle
    ip6tables -P INPUT ACCEPT
    ip6tables -P OUTPUT ACCEPT
    ip6tables -P FORWARD ACCEPT
}
######################################################################
function stop {
    # stop all external connections
    echo "Firewall: stopping all external connections"
    ip6tables -F INPUT
    ip6tables -F OUTPUT
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD REJECT
    ip6tables -P OUTPUT REJECT

    # allow anything over loopback
    ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
    ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
}

case "$1" in
    start)
	on
    ;;
    stop)
	off
    ;;
    restart)
       off
       on
    ;;
    *)
	echo "$0 {start|stop|restart|off}"
	echo "Start executes primary ruleset."
	echo "Stop disables all filtering"
	echo "restart clears then enables"
	echo "Off disables all non-loopback connections"
    ;;
esac

Getting the webserver working

I use Nginx for my webserver so I had to change the config to have it listen for IPv6. First check that your Nginx supports IPv6 with the command nginx -V. It should show "--with-ipv6" in the output. After verfiying IPv6 is compiled in we can change the config. I put my IPv6 listen statement in the config and restarted. On restart the following error showed up:

[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: still could not bind()

I believe this error relates to how a modern version of Linux uses a hybrid dual-stack implementation of IPv4 and IPv6. To fix this I had to put IPv6only=on in the IPv6 line or Nginx would throw that error and not start. The new line tells Nginx to open a port in hybrid sockets mode. The final working line is below. There are other lines in the server {} area I'm just showing the IPv6 and IPv4 line. Restart Nginx after you put the IPv6 line in.

server {
    ...
    listen      *:80;
    listen 	[::]:80 default IPv6only=on;
    ...
   }

For every virtual server after setting the default server (like above) you will just need the following listen lines that don't reference the default server or IPv6.

server {
    ...
    listen      *:80;
    listen      [::]:80;
    ...
   }

IPv6 DNS records

With IPv6 you have to use an AAAA record (quad A) instead of an A records. The DNS entry is the same but your just using 3 more A's for the new record. Update your DNS server with that record and then test it with dig. An example of that test would look like the following.

> dig @ns1.linode.com www.pantz.org aaaa 

....

;; QUESTION SECTION:
;www.pantz.org.			IN	AAAA

;; ANSWER SECTION:
www.pantz.org.		86400	IN	AAAA	2600:3c02::f03c:91ff:fe93:9678

....

Check if your site is working

After you get your quad A record entry in, people should be able to reach your website through IPv6. If you don't have an IPv6 connection you can check your sites connectivity with http://IPv6-test.com. If that website says it was successful then congrats your up and rolling. Check your webserver logs for access from an IPv6 address, then make sure the resulting code was 200 OK for that access.

Intresting things I learned about IPv6


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemd

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib