On 03/06/2012 02:04 PM, Nico Pagliaro wrote: > Wow, thanks for your information! > my server is Centos. I think that commands are different, arent they? > > On Tue, Mar 6, 2012 at 6:33 PM, Simon Hobson <li...@thehobsons.co.uk > <mailto:li...@thehobsons.co.uk>> wrote: > > Nico Pagliaro wrote: > >But reading this, I need to configure a IPv6 in my firewall. > >is this necessary if the only thing I want is to allow protocol 41 > in and out? > > If you are only enabling IPv6 on your PC then your don't need IPv6 on > your firewall - at all. Just allow the right traffic (protocol 41 ?) > through to your PC as already described. > > > > However, if you want the "real" Ipv6 experience, it's not hard to > enable IPv6 on the firewall with an HE tunnel. > You haven't said what OS you have on your gateway/firewall - this is > what I have for a Debian host running PPPoE, Shorewall, Shorewall6 : > > /etc/network/interfaces : > >auto eth0 > >iface eth0 inet static > > address 192.168.x.1 > > netmask 255.255.255.0 > > > >iface eth0 inet6 static > > address 2001:470:xxx9:xxxx::1 > > netmask 64 > > > >auto he-ipv6 > >iface he-ipv6 inet6 static > > address 2001:470:xxx8:xxxx::2 > > netmask 64 > > gateway 2001:470:xxx8:xxxx::1 > > pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > pre-up ip link set he-ipv6 up > > post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding > > post-down ip link set he-ipv6 down > > post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local > >xxx.xxx.xxx.xxx ttl 255 > > > >auto isp > >iface isp inet ppp > >provider isp > > This is sufficient to configure your HE tunnel, and IPv6 internally > using your routed subnet. Note the slight different in IP address > between that on the tunnel and that on eth0 - when you log into your > HE account, you'll see the link address and /64 routed subnets listed > against your connection. > > Now for Shorewall6 config. > interfaces > >net ppp0 detect > tcpflags,forward=1,optional,dhcp > >net he-ipv6 detect tcpflags,forward=1,optional > >loc eth0 detect tcpflags,forward=1 > I think the ppp0 interface is redundant - I have it in because I'm > also trialling my ISPs native IPv6. > > zones > >fw firewall > >net ipv6 > >loc ipv6 > Virtally identical to the IPv4 setup > > policy > >loc net ACCEPT > >net all REJECT > >all all REJECT > It's important to drop or reject all inbound traffic. Unlike IPv4 > where most users have NAT which in itself provides a level of > protection, with IPv6 you are fully routed which can make all your > local machines suddenly appear on the internet ! > > Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked > and caused myself some consternation, set DISABLE_IPV6=No in > /etc/shorewall/shorewall.conf ! > > And of course, set whatever rules you need. Here is an extract from > my rules file : > ># I run mail and DNS servers at home, allow that traffic in > >SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx > >ACCEPT net loc:2001:470:xxx9:xxx::xxxx > ipv6-icmp > > > >DNS(ACCEPT) $FW net > > > ># Give me remote access to the firewall > >SSH(ACCEPT) loc $FW > > > >Ping(ACCEPT) loc $FW > > > >ACCEPT $FW loc ipv6-icmp > >ACCEPT $FW net ipv6-icmp > >ACCEPT all all ipv6-icmp > > > > Lastly, to allow your local machines to get public addresses, you > will probably want to install RAdvD (Router Advertisement Daemon). > It's config can be as simple as : > /etc/radvd.conf > >interface eth0 { > > AdvSendAdvert on; > > AdvOtherConfigFlag off ; > > prefix ::/64 > > { > > AdvOnLink on; > > AdvAutonomous on; > > }; > >}; > > between them, these settings should allow you to have native IPv6 > running on you LAN - and most IPv6 enabled devices should "just work". > > > > And really finally (if you've read this far) ... > Good on you for giving IPv6 a go. It might seem terribly complicated > (it did (and still does) to me), but it does start getting easier > when you get the hang of it :-) Not all the tools are there yet, but > things are getting better. > > I have IPv6 via tunnels at home and work (both using the setup I've > described above) and to be honest I just don't notice it any more. > -- > Simon Hobson, HE IPv6 Sage >
In CentOS (5.7 in my case; doesn't have shorewall6 yet :( ), you work with files in /etc/sysconfig/network-scripts/ instead of /etc/network/interfaces. Here's a cleaned-up version of my ifcfg-sit1 from there. (You could also call it ifcfg-ipv6 or ifcfg-he6; that name doesn't really matter, as long as it's consistent.) =================================================================== # Hurricane Electric V6V4 tunnel, IPv4 side NAME="Hurricane Electric SIT" DEVICE=sit1 ONBOOT=yes HOTPLUG=yes USERCTL=yes BOOTPROTO=none PEERDNS=no IPV6INIT=yes IPV6FORWARDING=yes IPV6_AUTOTUNNEL=yes IPV6ADDR="2001:470:xxxx:xxxx::2/64" IPV6ADDR_SECONDARIES="2001:470:yyyy:xxxx::1/64 2001:470:yyyy:xxxx::19/64 2001:470:yyyy:xxxx::35/64 2001:470:yyyy:xxxx::50/64" IPV6_MTU=1440 IPV6_ROUTER=no IPV6_AUTOCONF=no IPV6TUNNELIPV4=xxx.xx.xx.xx IPV6TUNNELIPV4LOCAL=yyy.yy.yy.yy PHYSDEV=eth0 TYPE=sit DEVICETYPE=sit ========================================================== The secondary addresses are purely optional, of course. So is the MTU setting, I think. And of course, if you're using it as a router, obviously you want a different value for IPV6_ROUTER. IPV6TUNNELIPV4 is the address of the HE tunnelbroker you use, and IPV6TUNNELIPV4LOCAL is your outward-facing interface's address (so if it's behind IPv4 NAT, you put the RFC1918-type address here). Then, it's `ifup sit1` and `ifdown sit1` to start & stop it. If you use NetworkManager, you're on your own, as far as I'm concerned; I've never used it on a server or router. I might also take the extra step, when setting up the protocol 41 rule, of limiting it to the tunnelbroker's address only (the same as IPV6TUNNELIPV4 above). A little paranoid, but doesn't hurt. ACCEPT net:xx.x.x.x $FW 41 # HE SIT IPv6 tunnel ACCEPT $FW net:xx.x.x.x 41 # HE SIT IPv6 tunnel The shorewall6 & radvd config can be the same as Simon's Debian above. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://www.prml.org/ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
