Archive for the ‘Ubuntu’ Category

Enabling a DHCPv6 client with Prefix Delegation ability on Ubuntu Server

Thursday, April 11th, 2013

What is Prefix Delegation?
Prefix Delegation (PD) is a mechanism for a DHCPv6 server to let a home networking router ask for an IPv6 prefix (subnet) that the router can then split up and delegate to the clients it serves.

Why?
In the (hopefully) not too distant future, ISPs will be offering native IPv6. Since there is no NAT in IPv6, and most people have at least a couple of computers sitting behind a hardware NAT box, they will need to get IPv6 addresses for every device they have. This is done via DHCPv6 and PD. When your ISP is ready (if it isn’t already) you’ll be able to use this to participate in the IPv6 world!

How?
Let’s just dig in then!
Required software:

  • wide-dhcp6c
  • RADVD

 

Why wide-dhcp6c, instead of ISC’s dhclient with IPv6 options?

  1. IPv6 documentation on dhclient is lacking and almost non-existant.
  2. wide-dhcp6c has the ability to assign a block from the received PD block to an interface.
  3. ISC requires you to run a separate instance for v6 anyway.

 

For this example network:
eth0 = WAN (ISP facing) interface
eth1 = LAN (home network) interface

in /etc/sysctl.conf add/set:

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.eth0.accept_ra=2

This makes the server a router (forwarding = 1) and allows eth0 to continue accepting Router Advertisements to get it’s default route. (by default, it will no longer accept Router Advertisements when forwarding is set.)

in /etc/network/interfaces add/set:

iface eth0 inet6 static

We set it to static because we will not be using the ISC DHCP client to obtain our IPv6 address and prefix, we will be using the wide dhcpv6 client.

To install the wide dhcpv6 client run this on the command line:

sudo apt-get install wide-dhcpv6-client

On install, you will get a prompt like this:
click to embiggen!
Enter the WAN interface (eth0 in our case)

Configure wide dhcp6c

cd /etc/wide-dhcp6c
sudo nano dhcp6c.conf

make it look like:

interface eth0 { # external facing interface (WAN)
  send ia-na 1;
  send ia-pd 1;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";
};

id-assoc pd 1 {
  prefix-interface eth1 { #internal facing interface (LAN)
    sla-id 0; # subnet. Combined with ia-pd to configure the subnet for this interface.
    ifid 1; #IP address "postfix". if not set it will use EUI-64 address of the interface. Combined with SLA-ID'd prefix to create full IP address of interface.
    sla-len 8; # prefix bits assigned. Take the prefix size you're assigned (something like /48 or /56) and subtract it from 64. In my case I was being assigned a /56, so 64-56=8
    };
  };

  id-assoc na 1 {
  # id-assoc for eth1
};

Install RADVD

sudo apt-get install radvd

Then change the default start from S20 to S98 and add a 10 second delay (to run *after* wide-DHCPv6 is done, otherwise it can’t pick up the IPv6 prefix that has been assigned)
– get normal runlevel:

/sbin/runlevel
N 2

Go to the runlevel directory:

cd /etc/rc2.d

(replace the 2 with the number from previous command)

mv S20radvd S98radvd

Edit S98radvd and add

sleep 10

after the first set of comments.
We move it to S98 so pretty much everything else is done starting and we’re not delaying anything important by that 10 seconds.

Configure the following in /etc/radvd.conf
interface eth1 # LAN interface
{
AdvManagedFlag off; # no DHCPv6 server here.
AdvOtherConfigFlag off; # not even for options.
AdvSendAdvert on;
AdvDefaultPreference high;
AdvLinkMTU 1280;
prefix ::/64 #pick one non-link-local prefix assigned to the interface and start advertising it
{
AdvOnLink on;
AdvAutonomous on;
};
};

Restart radvd
sudo /etc/init.d/radvd restart

And if your ISP has a DHCPv6 server running, you should have a happy IPv6 address everywhere.
To check if things are working:
ifconfig eth0
ifconfig eth1
(to see if IPv6 addresses are assigned.)
If you don’t have an IPv6 address on these interfaces that doesn’t start with fe80::, then it’s likely (at this point) that your ISP doesn’t have IPv6 enabled.

IPv6 Firewalling with ip6tables

Wednesday, March 30th, 2011

Now that you’ve gotten IPv6 configured on your home network, forget about relying on NAT to be your “firewall”. All your devices now have a globally routed IP (v6) address, so it’s time to get familiar with a setting up a “real” firewall.

Since my IPv6 router is a linux box that is also other things (server, wireless access point, etc) I can’t set up a nice dedicated firewall like pfsense (currently IPv6 is enabled on the beta versions) without spending more money and quite a bit more work. So I’ll work with what I have – ip6tables

Here’s a simple set of ip6tables rules I’ve come up with. You’ll want to tweak these for your specific site. Mine are called from /etc/rc.local

# IPv6 firewall (ipv6tables)
WAN_IF=he-ipv6
LAN_IF=eth0
WLAN_IF=wlan0
#flush tables
ip6tables -F

#Define Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Allow unrestricted access on internal network
ip6tables -A INPUT -i $LAN_IF -j ACCEPT
ip6tables -A INPUT -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forwarding through from the internal network
# For now allow unrestricted access out from the internal network
ip6tables -A FORWARD -i $LAN_IF -j ACCEPT
ip6tables -A FORWARD -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A FORWARD -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow SSH in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 22 -j ACCEPT

# allow remote desktop in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 3389 -j ACCEPT

# Drop everything else
ip6tables -A FORWARD -i $WAN_IF -j DROP

#allow everything to our router/server.
ip6tables -A INPUT -s 0/0 -d 2001:470:81e5::1/128 -j ACCEPT

# Drop everything else
ip6tables -A INPUT -i $WAN_IF -j DROP

In a few places, I only allow packets from 2000::/3. Currently this encompasses all of the global IPv6 addresses, so I could have easily used 0/0 (equivalent to ::/0 or “anywhere”) but I’m okay with being a little more specific here. In fact, for some of them (like ssh and remote desktop) I should be even more specific, but this is a start.

Ensure you can test your rules before leaving them on. I had some rules ordered incorrectly (I tried adding some rules after the “Drop everything else” rule for the chain) and broke www to ipcalypse.ca for a while. (oops!). To verify www, dns and smtp on my server, I used http://go6.se/check/ to test these rules.

Enable IPv6 Privacy Extensions on Ubuntu

Saturday, March 19th, 2011

With SLAAC, your MAC address is embedded into your IPv6 address. When you connect to the world, you’re giving them something that can be traced back to you (or at least a piece of hardware you have). RFC3041 was created to help address this privacy issue. It’s since been obsoleted by RFC4941. The Linux kernel does support these RFCs, but most distributions do not turn it on by default. While the below was tested on Ubuntu, it should theoretically work for most flavors of Linux.

First, determine which interface(s) you want to enable the privacy extensions:


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6547155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3594147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9470877266 (9.4 GB)  TX bytes:313893925 (313.8 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:859192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:859192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:418471854 (418.4 MB)  TX bytes:418471854 (418.4 MB)

In my case it’s eth2 (and no, I don’t know what happened to eth0 and eth1 ;).

Add the following lines to /etc/sysctl.conf:

net.ipv6.conf.eth2.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

*Note that the first line could (and most likely would) be different for your particular set up.

after that, restart your network (or if you like, restart your computer altogether) and you should see a new address


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          inet6 addr: 2001:db8::9dd7:675f:8d2b:d78a/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6565518 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3607197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9493464492 (9.4 GB)  TX bytes:315035089 (315.0 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:861796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:861796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:419488499 (419.4 MB)  TX bytes:419488499 (419.4 MB)

Outgoing connections will now use the new “random” ipv6 address. You can verify by going to http://test-ipv6.com