View previous topic :: View next topic |
Author |
Message |
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Mon Apr 28, 2003 5:00 pm Post subject: How to get Gentoo running as a IPv6 router/firewall. |
|
|
How to get Gentoo running as a IPv6 router/firewall.
First we need some things to be done:
1: You need to have an IPv6 segment (You can get one from http://www.xs26.net or http://ipng.org.uk/) This guide is based on the http://ipng.org.uk/ settings, but it shouldn't be much different with any other one.
2: You will also need to have a reverse DNS set up, look at http://ipng.org.uk/ to see how this is done with BIND.
This all is based on this configuration:
eth0 = external interface of router/firewall
eth1 = internal interface of router/firewall
Ok, lets get to work.
1: Kernel configuration. (Based on gentoo-sources-2.4.20-r2)
Here is what is needed:
In Networking options:
Code: |
[*] Network packet filtering (replaces ipchains)
[*] Socket Filtering
<*> The IPv6 protocol (EXPERIMENTAL)
|
In Networking options -> IPv6: Netfilter Configuration:
Code: |
<*> Userspace queueing via NETLINK (EXPERIMENTAL)
<*> IP6 tables support (required for filtering/masq/NAT)
<*> limit match support
<*> MAC address match support
<*> Condition variable match support
<*> HL match support
<*> Routing header match support (EXPERIMENTAL)
<*> Hop-by-Hop and Dst opts header match (EXPERIMENTAL)
<*> Fragmentation header match support (EXPERIMENTAL)
<*> Multiple port match support
<*> Owner match support (EXPERIMENTAL)
<*> netfilter MARK match support
<*> Packet Length match support
<*> EUI64 address check (EXPERIMENTAL)
<*> AH/ESP match support (EXPERIMENTAL)
<*> EUI64 address check (EXPERIMENTAL)
<*> Packet Length match support
<*> IPv6 Extension Headers Match (EXPERIMENTAL)
<*> Packet filtering
<*> HL target support
<*> LOG target support
<*> REJECT target support
<*> Packet mangling
<*> MARK target support
|
Then compile the kernel and copy it to /boot .
BEFORE you reboot, emerge the things that gets messed up by a new kernel (iptables, nvidia-kernel etc.)
reboot to use the new kernel.
2: Obtaining a IPv6 segment
First, go to http://ipng.org.uk/ and click signup, fill in all the required information and submit them.
Now wait about 3 minuttes, and you should be able to log in.
Now you have to submit the address of your reverse DNS, read at the page for how to set this up.
Once this is set up correct, your information will be like this:
Your IPv6 prefix is:: 2001:618:4:1234::/64
Your ipv6 tunnel end ip is:: 2001:618:4:2000::1235
The IPNG ipv6 tunnel end ip is:: 2001:618:4:2000::1236
The IPNG ipv4 tunnel end ip is:: 213.253.1.201
(1234, 1235 and 1236 will be different for you)
If your IPv6 prefix is: ::/64, then you still need to submit your reverse DNS.
If this is done, then congratulation, you just got your own private IPv6 segment
3: Installing the needed utillities
These utillities is needed, so emerge those you don't have:
4: Making the script to make it work
Here is the init script I use, it is called net.ipv6:
Code: |
#!/sbin/runscript
depend() {
need net
before iptables
}
start() {
ebegin "Starting up IPv6"
einfo "Setting up tunnel"
/sbin/ip tunnel add ipng mode sit ttl 64 remote 213.253.1.201
einfo "Bringing ipng up"
/sbin/ifconfig ipng up
einfo "Adding IPv6 address to ipng"
/sbin/ifconfig ipng add 2001:618:4:2000::1235/128
einfo "Adding IPv6 address to eth1"
/sbin/ifconfig eth1 add 2001:618:4:1234::1/64
einfo "Adding default route"
/sbin/ip ro add 2000::/3 dev ipng
eend 0
}
stop() {
ebegin "Shutting down IPv6"
einfo "Removing default route"
/sbin/ip ro del 2000::/3 dev ipng
einfo "Removing IPv6 address from eth1"
/sbin/ifconfig eth1 del 2001:618:4:1234::1/64
einfo "Removing IPv6 address from ipng"
/sbin/ifconfig ipng del 2001:618:4:2000::1235/128
einfo "Bringing ipng down"
/sbin/ifconfig ipng down
einfo "Removing tunnel"
/sbin/ip tunnel del ipng
eend 0
}
|
Save it as /etc/init.d/net.ipv6 and do a:
Code: | rc-update add net.ipv6 default |
(It has a little bug when shutting down, but that doesn't do any harm.) (If people doesn't understand what I mean with the (text)/128 , please tell me, and I'll try to explain it a bit better.) (I know the header of the init script i missing, this is because I don't know how to make it "The Gentoo Way" )
So far, so good. Now we need to edit /etc/conf.d/iptables and enable IPv6 forwarding.
5: Final stuff to be done
It you have an iptables firewall, that by default blocks trafic comming from the outside, u will need to add this one to it:
Code: | iptables -A INPUT -i eth0 -p ipv6 -j ACCEPT | (eth0 = your external interface)
6: Testing it
First, reboot to make sure network and tunnel gets startet with the system, and without errors.
Once the system gets up, goto here: http://ipng.org.uk/lg.cgi and select ping6 as the tool, and write this in the textbox: 2001:618:4:1234::1 .
If everýthing goes well, it will ping you and get answer back.
7: Setting up clients to use the router with IPv6
Since we don't use masquerading, every client will have it's own public IPv6 address, if people wants to firewall trafic it can be done on the router between the ipng and the eth1 interface with the ip6tables command, man ip6tables for more info on this subject.
Well, back to getting the clients up and running.
Windows 2000/XP
Well, somebody might still be using this
Get a commandprompt and do this:
Then do this:
Now find your network interface and remeber what number it has (normally 4). (X in the script a bit below is this number)
After doing this, it should have installed the IPv6 stack, now make a .bat file for giving your NIC an IPv6 address.
Code: |
ipv6 rtu 2002::/16 X
ipv6 adu X/2001:618:4:1234::2
ipv6 rtu ::/0 X/2001:618:4:1234::1 pub life 1800
|
Now create a shortcut to this .bat file in your startup folder.
Linux
I haven't yet made a client IPv6 init script, but it only has to run these 2 commands:
Code: |
ifconfig eth0 add 2001:618:4:1234::2/64
route -A inet6 add 2000::/3 gw 2001:618:4:1234::1
|
(eth0 = interface connected to eth1 on the router/firewall)
That should complete this, PLEASE give me feedback on this one _________________ Queen Rocks.
Last edited by GurliGebis on Thu May 08, 2003 2:05 pm; edited 1 time in total |
|
Back to top |
|
|
69link n00b
Joined: 18 Apr 2003 Posts: 53 Location: Sweden
|
Posted: Wed May 07, 2003 2:19 pm Post subject: |
|
|
Great guide.
I followed it and was up in no-time.
But this is my first experience with ipv6 and i dont know what to do with it yet |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed May 07, 2003 2:54 pm Post subject: |
|
|
hehe, I use it to be able to connect directly to my machines behind my router. _________________ Queen Rocks. |
|
Back to top |
|
|
zingit n00b
Joined: 08 May 2003 Posts: 8 Location: London, England
|
Posted: Thu May 08, 2003 2:52 pm Post subject: Excellent |
|
|
Followed the guide easily enough, got it working!! yay!
Few pitfalls though:
Make sure you put the right numbers in the right places; its very easy to mix up the tunnel IPv6 addresses.
When compiling your kernel, be sure to miss out
Code: | [ ] IP: IPv6 over IPv4 tunneling support (replaces sitXX devices) |
this option, as it will produce errors from the init script like
Code: | ioctl: No such device |
I seem to be having problems putting the Windows setup lines into a batch file (the first line of script is repeated until Ctrl+C'ed. If anyone has any idea, please post (I'm not that good at windows )
If you're looking at the init script, it really does mean eth1, not eth0. Honest. Don't change it or it won't work. (unless your internal NIC is something else than eth1)
Have fun with IPv6,
zingit |
|
Back to top |
|
|
robbat2 Developer
Joined: 19 Feb 2003 Posts: 82
|
Posted: Mon May 12, 2003 8:20 am Post subject: |
|
|
one request for an additional to this.
what DHCP stuff can be done to hand out IPv6 addresses automatically to your internal network? |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Mon May 12, 2003 8:33 am Post subject: |
|
|
AFAIK none IPv6 stuff can be done over DHCP yet. _________________ Queen Rocks. |
|
Back to top |
|
|
robbat2 Developer
Joined: 19 Feb 2003 Posts: 82
|
Posted: Mon May 12, 2003 8:35 am Post subject: |
|
|
look up neighbour discovery and router discovery for IPv6. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Mon May 12, 2003 8:37 am Post subject: |
|
|
hehe, it would be great is ISC's DHCPD could give out IPv6 addresses too, but it might happend some day _________________ Queen Rocks. |
|
Back to top |
|
|
IWBCMAN Guru
Joined: 25 Jun 2002 Posts: 474
|
Posted: Mon May 12, 2003 9:11 am Post subject: |
|
|
ok -braindead questions.....
does one have to have their own DNS with a static IP to do this(ie. I use dyndns ....) ?
-I am unfortunately so ignorant as to not even know whether this IP4 stuff is necessary to to work with IP6.....
does one have to have their own domain registered on the internet ?
does anybody here wish to elaborate a little on the whole IP6 thing....I have read some stuff about it and hav an ultra vague understanding of what it is about(ie. much larger address space, no need for NAT, coupling IP6/IP4 via a NAT-6:4..) but I am an absolute noob about this stuff...
|
|
Back to top |
|
|
IWBCMAN Guru
Joined: 25 Jun 2002 Posts: 474
|
Posted: Wed May 14, 2003 8:54 am Post subject: |
|
|
ok I guess my questions were too dumb....
still would love some feedback though..... |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed May 14, 2003 3:30 pm Post subject: |
|
|
I have a dynamic IP, I just change it on their website when it changes (happends once og twice a year). _________________ Queen Rocks. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Sun Jun 01, 2003 10:45 pm Post subject: |
|
|
About the client script.
Just add the two lines of code to /etc/conf.d/local.start , and it will be executed as the last thing it bootup (Why am I telling you this, people already knows this ) _________________ Queen Rocks. |
|
Back to top |
|
|
wlkerboh n00b
Joined: 30 Mar 2003 Posts: 3
|
Posted: Tue Jun 24, 2003 10:30 pm Post subject: radvd |
|
|
Install radvd for ipv6 auto-conf. Just make sure to edit the conf file to hand out your IP addresses and not someone elses |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed Jun 25, 2003 11:49 am Post subject: |
|
|
Does radvd has an option to give a specific ipv6 address to a specific MAC address, like DHCPD has? _________________ Queen Rocks. |
|
Back to top |
|
|
wlkerboh n00b
Joined: 30 Mar 2003 Posts: 3
|
Posted: Wed Jun 25, 2003 12:33 pm Post subject: |
|
|
Not that I've seen. radvd announces the link global prefix (the network portion of the address). An ipv6 capable host takes this and the mac address to produce a usable IP address. Of couse you still have the option of static IP addresses for servers. |
|
Back to top |
|
|
clumsyninja n00b
Joined: 27 Jun 2003 Posts: 61 Location: North Texas
|
Posted: Sat Jul 05, 2003 4:21 pm Post subject: |
|
|
i understand why ipv6 is being implemented, but i have an additional question (one that i can't seem to find an answer to after spending some time googling around).
are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4? would i carry both an ipv4 address and an ipv6 address? can i go with ipv4 on my internal network (no worries about running out of ip addresses here ) and ipv6 on my external device? wtf happend to ipv5?
i figured asking people who really use it is probably the best way to find out.
thanks in advance for any replies. _________________ katana root # cat /proc/sys/kernel/osrelease
2.4.20-gentoo-r7 |
|
Back to top |
|
|
wlkerboh n00b
Joined: 30 Mar 2003 Posts: 3
|
Posted: Thu Jul 17, 2003 3:59 am Post subject: |
|
|
clumsyninja wrote: |
are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4? |
Haven't done any performance tests. Feels just as fast as v4. Might be a few cycles slower due to longer addresses, but nothing that you and I are likely to notice.
clumsyninja wrote: | would i carry both an ipv4 address and an ipv6 address? |
Each version is a unique network stack. Sort of like running IPX and IP on the same wire. There are provisions in the spec for a v6-only host to communicate with a v4-only host, but I haven't played with that aspect yet.
clumsyninja wrote: | can i go with ipv4 on my internal network and ipv6 on my external device? |
Could, but why? v6 is designed to operate with many IP addresses per interface, each with a different scope: link (aka local) or global. If you were using v6 internally and only v4 externally (no 6to4 tunnels), your router would have to NAT. I'm sure this functionality exists somewhere, I haven't bothered looking for it though.
clumsyninja wrote: | wtf happend to ipv5? |
Already assigned to a now defunct test protocol. Google for this and you will come up with a more detailed answer. |
|
Back to top |
|
|
depptr0tt n00b
Joined: 21 May 2003 Posts: 16
|
Posted: Tue Aug 12, 2003 11:41 am Post subject: |
|
|
hmm does this share internet ?.
I mean does eth0 give eth1 acess to internet or what should i add in iptables then ? |
|
Back to top |
|
|
Redeeman l33t
Joined: 25 Sep 2003 Posts: 958 Location: Portugal
|
Posted: Wed Jun 09, 2004 1:59 pm Post subject: |
|
|
theres a tool called radvd that works as a ipv6 replacement for dhcp |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed Jun 09, 2004 2:01 pm Post subject: |
|
|
yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD? _________________ Queen Rocks. |
|
Back to top |
|
|
ryceck Apprentice
Joined: 13 Jan 2004 Posts: 195
|
Posted: Thu Jun 24, 2004 2:58 pm Post subject: |
|
|
GurliGebis wrote: | yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD? |
No it isn't but u could take a look at dhcpv6. I wasn't able to compile it myself, but theoretically dhcpv6 should be able to assign ipv6 addresses on a MAC-base |
|
Back to top |
|
|
|