Sunday, October 17, 2010

79228162514264337593543950336 addresses

My subnet request got approved! Let's go through some of the details.

Naturally, the first thing to set up was the firewall (because the best way to implement security is from the start). After hacking together bits and pieces from various scripts on the net, I managed to put together something that let everything out and only ssh in.

# Always accept loopback traffic
ip6tables -A INPUT -i lo -j ACCEPT

# Always accept traffic from the inside
ip6tables -A INPUT -i eth1 -j ACCEPT
# Allow all ICMP traffic
ip6tables -A INPUT -p icmpv6 -j ACCEPT

# make sure in-new chain is open
ip6tables -N in-new
ip6tables -N fw-new

# Strict sixxs
ip6tables -A INPUT -i sixxs -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i sixxs -m state --state NEW -j in-new
ip6tables -A FORWARD -i sixxs -o eth1 -m state --state NEW -j fw-new

# Inbound sixxs connections
ip6tables -A in-new -p tcp -m tcp --dport 22 --syn -j ACCEPT
ip6tables -A in-new -p udp -m udp --dport 53 -j ACCEPT
ip6tables -A in-new -j REJECT
ip6tables -A fw-new -j REJECT

# Reject everything else
ip6tables -A INPUT -i sixxs -j REJECT


With this set up, the next step was to get DHCP going. Unfortunately it wasn't that simple - address, router, and DNS setup is split into two separate categories, with router advertisement and IP autoconf done through ICMPv6 (requiring a router advertisement server) and DNS and some IP hints done through DHCPv6.

I installed radvd, and after some playing ended up with the following conf file:

interface eth1
{
   AdvSendAdvert on;
   AdvManagedFlag on;
   MinRtrAdvInterval 3;
   MaxRtrAdvInterval 10;
   prefix 2001:1234:5678:1::/64
   {
      AdvOnLink on;
      AdvAutonomous on;
      AdvRouterAddr on;
   };
};


The AdvManagedFlag was something that tripped me up, it tells hosts to still look for DHCPv6 for DNS and further IP hints, while AdvAutonomous meant that they would do global IPv6 autoconf.

Next step was DHCPv6. There were a couple of packages, but I ended up settling for wide-dhcpv6. The config for this looked like so:

option domain-name-servers fe80::4428:200:94:20;

interface eth1 {
        address-pool pool1 3600;
        send domain-name-servers;
};

pool pool1{
        range
2001:1234:5678:1:cafe:f00d::1000 to 2001:1234:5678:1:cafe:f00d::2000;
};

host gary {
        duid 00:03:00:07:12:7a:34:02:38:a0:9a:47:7f:09;
        address
2001:1234:5678:1:cafe:f00d::123 1800 7200;
};


I was surprised with the DUID entries, I have yet to find out why this is used instead of MAC address for stateful DHCPv6 setup, but nonetheless it's working now.

Next step was to get ipv6 set up on all my machines. My windows 7 box proved most difficult, however once it was sorted it even picked up the DHCPv6 IP hints without any problem, although I still had to manually set a route in netsh.

My debian laptop worked fine, and as with my archlinux virtual machine, the ipv6 module needed to be loaded (added to /etc/modules to auto load on boot).

Windows XP was just as easy - netsh interface ipv6 install, and it picked up everything fine.

I'm enjoying this tunnel, and as you can see from the configs, I've already started finding ways to play with my addresses. I can now see the dancing kame.net turtle, and interestingly the list of friends in chat on facebook looks different on their ipv6 page (tiled by profile photo, rather than listed).

Next step: start using ipv6 versions of things, and finding ipv6 services to use!

Untl then though, I need to get my codecs sorted, so I can start calling mobile phones through my VOIP setup...

No comments:

Post a Comment