pantz.org banner
pantz.org is now IPv6
Posted on 02-12-2012 23:02:08 UTC | Updated on 02-12-2012 23:23:44 UTC
Section: /software/tcpip/ | Permanent Link

Getting IPv6 connected

I thought it would be fun to get pantz.org up and rolling on IPv6 before the next world IPv6 day. My hosting company Linode offers IPv6 now, and they made it real easy to get it going. I just clicked on a link to turn it in my control panel and then rebooted. The address was assigned by dhcp to the interface on boot. Below is an ifconfig example of a interface running both IPv4 and IPv6 on the same interface.

eth0      Link encap:Ethernet  HWaddr ff:ff:de:ad:be:ef  
          inet addr:74.207.225.175  Bcast:74.207.225.255  Mask:255.255.255.0
          inet6 addr: 2600:3c02::f03c:91ff:fe93:9678/64 Scope:Global
          inet6 addr: fe80::f03c:91ff:fe93:9678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          ....

Now that we have an native IPv6 IP address we need to test to see if it works. Google has an IPv6 website that you can use to test this. Just use the IPv6 version of ping, and you should see a response if everything is setup correctly. Example: ping6 IPv6.google.com.

IPv6 firewall

Let's get some IPv6 firewalling going. In Linux iptables is what you use for IPv4 as a packet filter. With IPv6 you need to use ip6tables. It's very close to the same so you can use most of your current rules from IPv4. Just an intresting note, as of right now ip6tables does not support NAT. According to the devs it is unlikely it will ever be supported so just keep that in mind.

Below is an example of firewalling with ip6tables. It is a bash script written to be put in the /etc/init.d dir. It responds to the stop,start,restart commands to load the rules. I called my rules ip6tables. Make the file and put it in the /etc/init.d dir. If your running a Debian based system (Ubuntu and such) then you can run chmod 700 /etc/init.d/ip6tables;update-rc.d ip6tables defaults on the file to have it start on boot.

#!/bin/bash
#
# Firewall rules
# 

######################################################################
function on {
    echo "Firewall: enabling filtering"
       	
    # Clear any previous rules.
    ip6tables -F
    ip6tables -F -t mangle
    ip6tables -X
    # Default drop policy.
    ip6tables -P INPUT DROP
    ip6tables -P OUTPUT DROP
    ip6tables -P FORWARD DROP

    # Allow anything over loopback.
    ip6tables -A INPUT  -i lo -s ::1/128 -j ACCEPT
    ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT

    # allow link-local
    ip6tables -A INPUT -s fe80::/10 -j ACCEPT

    # Drop packets with a type 0 routing header
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

    # Drop any tcp packet that does not start a connection with a syn flag.
    ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop any invalid packet that could not be identified.
    ip6tables -A INPUT -m state --state INVALID -j DROP

    # Drop invalid packets.
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

    # Reject link-local all nodes multicast group 
    ip6tables -A INPUT -d ff02::1 -j REJECT

    # Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
    ip6tables -A INPUT  -p tcp -m state --state ESTABLISHED     -j ACCEPT
    ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    ip6tables -A INPUT  -p udp -m state --state ESTABLISHED     -j ACCEPT
    ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow ICMP In/Out. ICMP has a much more significant and essential role because of
    # new functionality that is now performed within IPv6. Allow open for now.
    ip6tables -A INPUT   -p IPv6-icmp -j ACCEPT
    ip6tables -I OUTPUT  -p IPv6-icmp -j ACCEPT
    ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

    # Allow http connections in. Uncomment if needed.
    ip6tables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

    # Drop everything that did not match above and log it.
    ip6tables -A INPUT   -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
    ip6tables -A INPUT   -j DROP
    ip6tables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
    ip6tables -A FORWARD -j DROP
    ip6tables -A OUTPUT  -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
    ip6tables -A OUTPUT  -j DROP

}
######################################################################
function off {
    # stop firewall
    echo "Firewall: disabling filtering (allowing all access)"
    ip6tables -F
    ip6tables -F -t mangle
    ip6tables -P INPUT ACCEPT
    ip6tables -P OUTPUT ACCEPT
    ip6tables -P FORWARD ACCEPT
}
######################################################################
function stop {
    # stop all external connections
    echo "Firewall: stopping all external connections"
    ip6tables -F INPUT
    ip6tables -F OUTPUT
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD REJECT
    ip6tables -P OUTPUT REJECT

    # allow anything over loopback
    ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
    ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
}

case "$1" in
    start)
	on
    ;;
    stop)
	off
    ;;
    restart)
       off
       on
    ;;
    *)
	echo "$0 {start|stop|restart|off}"
	echo "Start executes primary ruleset."
	echo "Stop disables all filtering"
	echo "restart clears then enables"
	echo "Off disables all non-loopback connections"
    ;;
esac

Getting the webserver working

I use Nginx for my webserver so I had to change the config to have it listen for IPv6. First check that your Nginx supports IPv6 with the command nginx -V. It should show "--with-ipv6" in the output. After verfiying IPv6 is compiled in we can change the config. I put my IPv6 listen statement in the config and restarted. On restart the following error showed up:

[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: bind() to [::]:80 failed (98: Address already in use)
[emerg]: still could not bind()

I believe this error relates to how a modern version of Linux uses a hybrid dual-stack implementation of IPv4 and IPv6. To fix this I had to put IPv6only=on in the IPv6 line or Nginx would throw that error and not start. The new line tells Nginx to open a port in hybrid sockets mode. The final working line is below. There are other lines in the server {} area I'm just showing the IPv6 and IPv4 line. Restart Nginx after you put the IPv6 line in.

server {
    ...
    listen      *:80;
    listen 	[::]:80 default IPv6only=on;
    ...
   }

For every virtual server after setting the default server (like above) you will just need the following listen lines that don't reference the default server or IPv6.

server {
    ...
    listen      *:80;
    listen      [::]:80;
    ...
   }

IPv6 DNS records

With IPv6 you have to use an AAAA record (quad A) instead of an A records. The DNS entry is the same but your just using 3 more A's for the new record. Update your DNS server with that record and then test it with dig. An example of that test would look like the following.

> dig @ns1.linode.com www.pantz.org aaaa 

....

;; QUESTION SECTION:
;www.pantz.org.			IN	AAAA

;; ANSWER SECTION:
www.pantz.org.		86400	IN	AAAA	2600:3c02::f03c:91ff:fe93:9678

....

Check if your site is working

After you get your quad A record entry in, people should be able to reach your website through IPv6. If you don't have an IPv6 connection you can check your sites connectivity with http://IPv6-test.com. If that website says it was successful then congrats your up and rolling. Check your webserver logs for access from an IPv6 address, then make sure the resulting code was 200 OK for that access.

Intresting things I learned about IPv6


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
openvpn
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib