Hi everybody, I am trying to implement IPv6 in my lan PC. I have a shorewall 4.0.3 working with ipv4 perfect, and I trying to test IPv6 from my lan computer with tunnel broker Hurricane electric) I have windows 7 in my PC and I executed the commands that tunnel broker tell me to execute. All that works great. Now, How do I accept trafic in and out from my computer to a IPv6 host in the firewall, like http://test-ipv6.com/? Thanks ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
You''ll need to use shorewall6 which handles IPV6 traffic. It works the same as shorewall4 such that you IPV6 interface will lead to your internet zone. Essentially you have two entirely separate firewalls. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/06/2012 09:19 AM, Nico Pagliaro wrote:> Hi everybody, I am trying to implement IPv6 in my lan PC. > I have a shorewall 4.0.3 working with ipv4 perfect, and I trying to test > IPv6 from my lan computer with tunnel broker Hurricane electric) > I have windows 7 in my PC and I executed the commands that tunnel broker > tell me to execute. All that works great. > Now, How do I accept trafic in and out from my computer to a IPv6 host > in the firewall, like http://test-ipv6.com/?Shorewall 4.0 has no IPv6 support. So all you can do is to set DISABLE_IPV6=No in shorewall.conf. That will allow all IPv6 traffic into and out of your firewall. If you plan on implementing IPv6 though, I suggest that you upgrade to Shorewall 4.5 where you can use Shorewall6, the IPv6 component of Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Thanks, I am upgrading to 4.5 right now Question: if I have 4.5 working, I need to have shorewall and shorewall6 running at the same time or I can have only shorewall runnning with 6in4 configuration in tunnels file? thanks On Tue, Mar 6, 2012 at 4:27 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 03/06/2012 09:19 AM, Nico Pagliaro wrote: > > Hi everybody, I am trying to implement IPv6 in my lan PC. > > I have a shorewall 4.0.3 working with ipv4 perfect, and I trying to test > > IPv6 from my lan computer with tunnel broker Hurricane electric) > > I have windows 7 in my PC and I executed the commands that tunnel broker > > tell me to execute. All that works great. > > Now, How do I accept trafic in and out from my computer to a IPv6 host > > in the firewall, like http://test-ipv6.com/? > > Shorewall 4.0 has no IPv6 support. So all you can do is to set > DISABLE_IPV6=No in shorewall.conf. That will allow all IPv6 traffic into > and out of your firewall. > > If you plan on implementing IPv6 though, I suggest that you upgrade to > Shorewall 4.5 where you can use Shorewall6, the IPv6 component of > Shorewall. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Assuming you are using Linux, shorewall manages ipv4 rules via iptables. Shorewall6 manages ipv6 rules via ip6tables. On the Debian hosts I manage there is /etc/shorewall and /etc/shorewall6. They are entirely separate. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Great. Now I have shorewall 4.5 installed and running. I am trying to use hurrican electric tunnel broker but I dont know who I enable protocol 41 traffic in/out to my PC. any idea? I want to use a IPv6 in my PC and access ipv6 sites. To this, I have installed hurrican tunnel in my PC with the commands they show me, but I dont know how to permit traffic to protocol 41 Thanks 4 all On Tue, Mar 6, 2012 at 4:52 PM, Neil Watson <neil@watson-wilson.ca> wrote:> Assuming you are using Linux, shorewall manages ipv4 rules via iptables. > Shorewall6 manages ipv6 rules via ip6tables. > > On the Debian hosts I manage there is /etc/shorewall and > /etc/shorewall6. They are entirely separate. > > -- > Neil Watson > Linux/UNIX Consultant > http://watson-wilson.ca > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, Mar 06, 2012 at 05:06:14PM -0200, Nico Pagliaro wrote:> I am trying to use hurrican electric tunnel broker but I dont know who I > enable protocol 41 traffic in/out to my PC.I think that the ipsec macro will handle this. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/06/2012 11:06 AM, Nico Pagliaro wrote:> Great. Now I have shorewall 4.5 installed and running. > I am trying to use hurrican electric tunnel broker but I dont know who I > enable protocol 41 traffic in/out to my PC. > any idea? > > I want to use a IPv6 in my PC and access ipv6 sites. To this, I have > installed hurrican tunnel in my PC with the commands they show me, but I > dont know how to permit traffic to protocol 41http://www.shorewall.net/6to4.htm -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
mm I dont know about that. The documentation in Hurrican Electric or tunnelbroker says that I need to enable protocol 41 in and out. is this correct ACCEPT loc net 41 ACCEPT net loc 41 On Tue, Mar 6, 2012 at 5:08 PM, Neil Watson <neil@watson-wilson.ca> wrote:> On Tue, Mar 06, 2012 at 05:06:14PM -0200, Nico Pagliaro wrote: > > I am trying to use hurrican electric tunnel broker but I dont know who > I > > enable protocol 41 traffic in/out to my PC. > > I think that the ipsec macro will handle this. > > -- > Neil Watson > Linux/UNIX Consultant > http://watson-wilson.ca > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
But reading this, I need to configure a IPv6 in my firewall. is this necessary if the only thing I want is to allow protocol 41 in and out? On Tue, Mar 6, 2012 at 5:30 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 03/06/2012 11:06 AM, Nico Pagliaro wrote: > > Great. Now I have shorewall 4.5 installed and running. > > I am trying to use hurrican electric tunnel broker but I dont know who I > > enable protocol 41 traffic in/out to my PC. > > any idea? > > > > I want to use a IPv6 in my PC and access ipv6 sites. To this, I have > > installed hurrican tunnel in my PC with the commands they show me, but I > > dont know how to permit traffic to protocol 41 > > http://www.shorewall.net/6to4.htm > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/06/2012 11:42 AM, Nico Pagliaro wrote:> But reading this, I need to configure a IPv6 in my firewall. > is this necessary if the only thing I want is to allow protocol 41 in > and out?http://www.shorewall.net/6to4.htm#idp2946368 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, Mar 06, 2012 at 05:42:58PM -0200, Nico Pagliaro wrote:> But reading this, I need to configure a IPv6 in my firewall. > is this necessary if the only thing I want is to allow protocol 41 in > and out?I believe that 41 is IPV4 traffic. It encapsulates IPV6 traffic. So your IPV4 firewall allows IP 41. The IPV6 firewall allows any IPV6 traffic you care to. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Nico Pagliaro wrote:>But reading this, I need to configure a IPv6 in my firewall. >is this necessary if the only thing I want is to allow protocol 41 in and out?If you are only enabling IPv6 on your PC then your don''t need IPv6 on your firewall - at all. Just allow the right traffic (protocol 41 ?) through to your PC as already described. However, if you want the "real" Ipv6 experience, it''s not hard to enable IPv6 on the firewall with an HE tunnel. You haven''t said what OS you have on your gateway/firewall - this is what I have for a Debian host running PPPoE, Shorewall, Shorewall6 : /etc/network/interfaces :>auto eth0 >iface eth0 inet static > address 192.168.x.1 > netmask 255.255.255.0 > >iface eth0 inet6 static > address 2001:470:xxx9:xxxx::1 > netmask 64 > >auto he-ipv6 >iface he-ipv6 inet6 static > address 2001:470:xxx8:xxxx::2 > netmask 64 > gateway 2001:470:xxx8:xxxx::1 > pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local >xxx.xxx.xxx.xxx ttl 255 > pre-up ip link set he-ipv6 up > post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding > post-down ip link set he-ipv6 down > post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local >xxx.xxx.xxx.xxx ttl 255 > >auto isp >iface isp inet ppp >provider ispThis is sufficient to configure your HE tunnel, and IPv6 internally using your routed subnet. Note the slight different in IP address between that on the tunnel and that on eth0 - when you log into your HE account, you''ll see the link address and /64 routed subnets listed against your connection. Now for Shorewall6 config. interfaces>net ppp0 detect tcpflags,forward=1,optional,dhcp >net he-ipv6 detect tcpflags,forward=1,optional >loc eth0 detect tcpflags,forward=1I think the ppp0 interface is redundant - I have it in because I''m also trialling my ISPs native IPv6. zones>fw firewall >net ipv6 >loc ipv6Virtally identical to the IPv4 setup policy>loc net ACCEPT >net all REJECT >all all REJECTIt''s important to drop or reject all inbound traffic. Unlike IPv4 where most users have NAT which in itself provides a level of protection, with IPv6 you are fully routed which can make all your local machines suddenly appear on the internet ! Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked and caused myself some consternation, set DISABLE_IPV6=No in /etc/shorewall/shorewall.conf ! And of course, set whatever rules you need. Here is an extract from my rules file :># I run mail and DNS servers at home, allow that traffic in >SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx >DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx >ACCEPT net loc:2001:470:xxx9:xxx::xxxx ipv6-icmp > >DNS(ACCEPT) $FW net > ># Give me remote access to the firewall >SSH(ACCEPT) loc $FW > >Ping(ACCEPT) loc $FW > >ACCEPT $FW loc ipv6-icmp >ACCEPT $FW net ipv6-icmp >ACCEPT all all ipv6-icmpLastly, to allow your local machines to get public addresses, you will probably want to install RAdvD (Router Advertisement Daemon). It''s config can be as simple as : /etc/radvd.conf>interface eth0 { > AdvSendAdvert on; > AdvOtherConfigFlag off ; > prefix ::/64 > { > AdvOnLink on; > AdvAutonomous on; > }; >};between them, these settings should allow you to have native IPv6 running on you LAN - and most IPv6 enabled devices should "just work". And really finally (if you''ve read this far) ... Good on you for giving IPv6 a go. It might seem terribly complicated (it did (and still does) to me), but it does start getting easier when you get the hang of it :-) Not all the tools are there yet, but things are getting better. I have IPv6 via tunnels at home and work (both using the setup I''ve described above) and to be honest I just don''t notice it any more. -- Simon Hobson, HE IPv6 Sage Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Wow, thanks for your information! my server is Centos. I think that commands are different, arent they? On Tue, Mar 6, 2012 at 6:33 PM, Simon Hobson <linux@thehobsons.co.uk> wrote:> Nico Pagliaro wrote: > >But reading this, I need to configure a IPv6 in my firewall. > >is this necessary if the only thing I want is to allow protocol 41 in and > out? > > If you are only enabling IPv6 on your PC then your don''t need IPv6 on > your firewall - at all. Just allow the right traffic (protocol 41 ?) > through to your PC as already described. > > > > However, if you want the "real" Ipv6 experience, it''s not hard to > enable IPv6 on the firewall with an HE tunnel. > You haven''t said what OS you have on your gateway/firewall - this is > what I have for a Debian host running PPPoE, Shorewall, Shorewall6 : > > /etc/network/interfaces : > >auto eth0 > >iface eth0 inet static > > address 192.168.x.1 > > netmask 255.255.255.0 > > > >iface eth0 inet6 static > > address 2001:470:xxx9:xxxx::1 > > netmask 64 > > > >auto he-ipv6 > >iface he-ipv6 inet6 static > > address 2001:470:xxx8:xxxx::2 > > netmask 64 > > gateway 2001:470:xxx8:xxxx::1 > > pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > pre-up ip link set he-ipv6 up > > post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding > > post-down ip link set he-ipv6 down > > post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > > >auto isp > >iface isp inet ppp > >provider isp > > This is sufficient to configure your HE tunnel, and IPv6 internally > using your routed subnet. Note the slight different in IP address > between that on the tunnel and that on eth0 - when you log into your > HE account, you''ll see the link address and /64 routed subnets listed > against your connection. > > Now for Shorewall6 config. > interfaces > >net ppp0 detect tcpflags,forward=1,optional,dhcp > >net he-ipv6 detect tcpflags,forward=1,optional > >loc eth0 detect tcpflags,forward=1 > I think the ppp0 interface is redundant - I have it in because I''m > also trialling my ISPs native IPv6. > > zones > >fw firewall > >net ipv6 > >loc ipv6 > Virtally identical to the IPv4 setup > > policy > >loc net ACCEPT > >net all REJECT > >all all REJECT > It''s important to drop or reject all inbound traffic. Unlike IPv4 > where most users have NAT which in itself provides a level of > protection, with IPv6 you are fully routed which can make all your > local machines suddenly appear on the internet ! > > Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked > and caused myself some consternation, set DISABLE_IPV6=No in > /etc/shorewall/shorewall.conf ! > > And of course, set whatever rules you need. Here is an extract from > my rules file : > ># I run mail and DNS servers at home, allow that traffic in > >SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >ACCEPT net loc:2001:470:xxx9:xxx::xxxx ipv6-icmp > > > >DNS(ACCEPT) $FW net > > > ># Give me remote access to the firewall > >SSH(ACCEPT) loc $FW > > > >Ping(ACCEPT) loc $FW > > > >ACCEPT $FW loc ipv6-icmp > >ACCEPT $FW net ipv6-icmp > >ACCEPT all all ipv6-icmp > > > > Lastly, to allow your local machines to get public addresses, you > will probably want to install RAdvD (Router Advertisement Daemon). > It''s config can be as simple as : > /etc/radvd.conf > >interface eth0 { > > AdvSendAdvert on; > > AdvOtherConfigFlag off ; > > prefix ::/64 > > { > > AdvOnLink on; > > AdvAutonomous on; > > }; > >}; > > between them, these settings should allow you to have native IPv6 > running on you LAN - and most IPv6 enabled devices should "just work". > > > > And really finally (if you''ve read this far) ... > Good on you for giving IPv6 a go. It might seem terribly complicated > (it did (and still does) to me), but it does start getting easier > when you get the hang of it :-) Not all the tools are there yet, but > things are getting better. > > I have IPv6 via tunnels at home and work (both using the setup I''ve > described above) and to be honest I just don''t notice it any more. > -- > Simon Hobson, HE IPv6 Sage > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/06/2012 02:04 PM, Nico Pagliaro wrote:> Wow, thanks for your information! > my server is Centos. I think that commands are different, arent they? > > On Tue, Mar 6, 2012 at 6:33 PM, Simon Hobson <linux@thehobsons.co.uk > <mailto:linux@thehobsons.co.uk>> wrote: > > Nico Pagliaro wrote: > >But reading this, I need to configure a IPv6 in my firewall. > >is this necessary if the only thing I want is to allow protocol 41 > in and out? > > If you are only enabling IPv6 on your PC then your don''t need IPv6 on > your firewall - at all. Just allow the right traffic (protocol 41 ?) > through to your PC as already described. > > > > However, if you want the "real" Ipv6 experience, it''s not hard to > enable IPv6 on the firewall with an HE tunnel. > You haven''t said what OS you have on your gateway/firewall - this is > what I have for a Debian host running PPPoE, Shorewall, Shorewall6 : > > /etc/network/interfaces : > >auto eth0 > >iface eth0 inet static > > address 192.168.x.1 > > netmask 255.255.255.0 > > > >iface eth0 inet6 static > > address 2001:470:xxx9:xxxx::1 > > netmask 64 > > > >auto he-ipv6 > >iface he-ipv6 inet6 static > > address 2001:470:xxx8:xxxx::2 > > netmask 64 > > gateway 2001:470:xxx8:xxxx::1 > > pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > pre-up ip link set he-ipv6 up > > post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding > > post-down ip link set he-ipv6 down > > post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > > >auto isp > >iface isp inet ppp > >provider isp > > This is sufficient to configure your HE tunnel, and IPv6 internally > using your routed subnet. Note the slight different in IP address > between that on the tunnel and that on eth0 - when you log into your > HE account, you''ll see the link address and /64 routed subnets listed > against your connection. > > Now for Shorewall6 config. > interfaces > >net ppp0 detect > tcpflags,forward=1,optional,dhcp > >net he-ipv6 detect tcpflags,forward=1,optional > >loc eth0 detect tcpflags,forward=1 > I think the ppp0 interface is redundant - I have it in because I''m > also trialling my ISPs native IPv6. > > zones > >fw firewall > >net ipv6 > >loc ipv6 > Virtally identical to the IPv4 setup > > policy > >loc net ACCEPT > >net all REJECT > >all all REJECT > It''s important to drop or reject all inbound traffic. Unlike IPv4 > where most users have NAT which in itself provides a level of > protection, with IPv6 you are fully routed which can make all your > local machines suddenly appear on the internet ! > > Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked > and caused myself some consternation, set DISABLE_IPV6=No in > /etc/shorewall/shorewall.conf ! > > And of course, set whatever rules you need. Here is an extract from > my rules file : > ># I run mail and DNS servers at home, allow that traffic in > >SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >ACCEPT net loc:2001:470:xxx9:xxx::xxxx > ipv6-icmp > > > >DNS(ACCEPT) $FW net > > > ># Give me remote access to the firewall > >SSH(ACCEPT) loc $FW > > > >Ping(ACCEPT) loc $FW > > > >ACCEPT $FW loc ipv6-icmp > >ACCEPT $FW net ipv6-icmp > >ACCEPT all all ipv6-icmp > > > > Lastly, to allow your local machines to get public addresses, you > will probably want to install RAdvD (Router Advertisement Daemon). > It''s config can be as simple as : > /etc/radvd.conf > >interface eth0 { > > AdvSendAdvert on; > > AdvOtherConfigFlag off ; > > prefix ::/64 > > { > > AdvOnLink on; > > AdvAutonomous on; > > }; > >}; > > between them, these settings should allow you to have native IPv6 > running on you LAN - and most IPv6 enabled devices should "just work". > > > > And really finally (if you''ve read this far) ... > Good on you for giving IPv6 a go. It might seem terribly complicated > (it did (and still does) to me), but it does start getting easier > when you get the hang of it :-) Not all the tools are there yet, but > things are getting better. > > I have IPv6 via tunnels at home and work (both using the setup I''ve > described above) and to be honest I just don''t notice it any more. > -- > Simon Hobson, HE IPv6 Sage >In CentOS (5.7 in my case; doesn''t have shorewall6 yet :( ), you work with files in /etc/sysconfig/network-scripts/ instead of /etc/network/interfaces. Here''s a cleaned-up version of my ifcfg-sit1 from there. (You could also call it ifcfg-ipv6 or ifcfg-he6; that name doesn''t really matter, as long as it''s consistent.) ================================================================== # Hurricane Electric V6V4 tunnel, IPv4 side NAME="Hurricane Electric SIT" DEVICE=sit1 ONBOOT=yes HOTPLUG=yes USERCTL=yes BOOTPROTO=none PEERDNS=no IPV6INIT=yes IPV6FORWARDING=yes IPV6_AUTOTUNNEL=yes IPV6ADDR="2001:470:xxxx:xxxx::2/64" IPV6ADDR_SECONDARIES="2001:470:yyyy:xxxx::1/64 2001:470:yyyy:xxxx::19/64 2001:470:yyyy:xxxx::35/64 2001:470:yyyy:xxxx::50/64" IPV6_MTU=1440 IPV6_ROUTER=no IPV6_AUTOCONF=no IPV6TUNNELIPV4=xxx.xx.xx.xx IPV6TUNNELIPV4LOCAL=yyy.yy.yy.yy PHYSDEV=eth0 TYPE=sit DEVICETYPE=sit ========================================================= The secondary addresses are purely optional, of course. So is the MTU setting, I think. And of course, if you''re using it as a router, obviously you want a different value for IPV6_ROUTER. IPV6TUNNELIPV4 is the address of the HE tunnelbroker you use, and IPV6TUNNELIPV4LOCAL is your outward-facing interface''s address (so if it''s behind IPv4 NAT, you put the RFC1918-type address here). Then, it''s `ifup sit1` and `ifdown sit1` to start & stop it. If you use NetworkManager, you''re on your own, as far as I''m concerned; I''ve never used it on a server or router. I might also take the extra step, when setting up the protocol 41 rule, of limiting it to the tunnelbroker''s address only (the same as IPV6TUNNELIPV4 above). A little paranoid, but doesn''t hurt. ACCEPT net:xx.x.x.x $FW 41 # HE SIT IPv6 tunnel ACCEPT $FW net:xx.x.x.x 41 # HE SIT IPv6 tunnel The shorewall6 & radvd config can be the same as Simon''s Debian above. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://www.prml.org/ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
On 03/06/2012 05:12 PM, J. Randall Owens wrote:> > IPV6ADDR_SECONDARIES="2001:470:yyyy:xxxx::1/64 2001:470:yyyy:xxxx::19/64 > 2001:470:yyyy:xxxx::35/64 2001:470:yyyy:xxxx::50/64"...> > =========================================================> > The secondary addresses are purely optional, of course. So is the MTU... Oh, maybe it should go without saying, but those secondaries should be all in one line, of course. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://www.prml.org/ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/