Tag Archives: Router

Deploying a IPv6 Internet Enabled Network Part 1

This is the first in a two part series of blog posts that will deal with the configuration and deployment of an IPv6 internet enabled network without the need of an ISP which supports IPv6.

What you will need

  • A spare physical or virtual server that can be used as a Linux based router
    • In this case I was using a virtual machine on XenCenter with 256mb ram

This can be done with just a desktop however if you are looking to configure a single node for IPv6 internet connectivity I would recommend setting up an account and following the documentation from a tunnel broker such as Hurricane Electric (http://tunnelbroker.net/)

Configure IPv6 connectivity on the Router

Step 1 – Prepare your Router

A basic installation of Linux can be used as long as it includes IPv6 support in the kernel. In this instance I used Ubuntu 10.10 Server with a basic install and didn’t have to install any additional packages apart from OpenSSH-Server for SSH access.

Step 2 – Signup with an IPv6 broker

In theory you could use any IPv6 broker but the example here will assume that you are using Hurrcane Electrics free service (http://tunnelbroker.net/). A list of brokers can be found on wikipedia at http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers.

Note: Hurricane Electric have documentation on their site once you have signed up which tells you how to configure your tunnel but I found that they instructed you to create 2 connections (sit0, sit1) which I later found were not needed.

Step 3 – Tunnel Configuration

Edit your /etc/network/interfaces as root and add the following to the end of the file replacing the place holders with the values from you IPv6 tunnel.:

iface he-ipv6 inet6 v4tunnel
 endpoint <Server IPv4 Address>
 address <Client IPv6 Address>
 netmask 64
 up ip -6 route add default dev he-ipv6
 down ip -6 route del default dev he-ipv6

You can now restart networking “sudo /etc/init.d/networking restart” to enable the new connection and at this point you will now have IPv6 connectivity to the internet from the router and you should be aware that as default everyone on the internet with an IPv6 address will be able to access the system.

Step 4 – Configure iptables firewall

You can configure the iptables firewall similar to IPv4 except you must use the command “ip6tables” instead of “iptables”, the below example will deny all inbound traffic but allow outbound traffic:

ip6tables -A INPUT -s ::/0 -d ::/0 -i he-ipv6 -p tcp -m tcp --dport 113 -m state --state NEW -j REJECT --reject-with icmp6-port-unreachable
 ip6tables -A INPUT -s ::/0 -d ::/0 -i he-ipv6 -m state --state RELATED,ESTABLISHED -j ACCEPT
 ip6tables -A INPUT -s ::/0 -d ::/0 -i he-ipv6 -j DROP
 ip6tables -A FORWARD -s ::/0 -d ::/0 -i he-ipv6 -p tcp -m tcp --dport 113 -m state --state NEW -j REJECT --reject-with icmp6-port-unreachable
 ip6tables -A FORWARD -s ::/0 -d ::/0 -i he-ipv6 -m state --state RELATED,ESTABLISHED -j ACCEPT
 ip6tables -A FORWARD -s ::/0 -d ::/0 -i he-ipv6 -j DROP

The rules above reject pings from the internet by returning an unreachable status, accept all traffic which originated internally and denys all other traffic.

Note that the above basics include rules for forwarding which will be used in part two when enabling routing for IPv6 LAN clients.

Step 5 – Configure an IPv6 nameserver

If you are using a Hurricane Electric account you can set your dns server as follows, if you are using another tunnel provider please check with the provider for dns settings:

Edit the file /etc/resolv.conf:

nameserver 2001:470:20::2

Finally restart the networking again “sudo /etc/init.d/networking restart” and you should not be able to ping the name server using the “ping6″ linux command and if you are using a graphical system you should also be able to access google via IPv6 on the address http://ipv6.google.com

Summary

Following the stages above will give you a system which is capable of tunnelling IPv6 traffic over an existing IPv4 only connection and out to the internet. At the moment only the system itself will have access but in part 2 we will enable the system to act as a router for other IPv6