diff --git a/docs/6to4.xml b/docs/6to4.xml index c3cfd642b..70b751e02 100644 --- a/docs/6to4.xml +++ b/docs/6to4.xml @@ -40,13 +40,10 @@ - - The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4 - tunneling. It does not provide any IPv6 security measures. - - 6to4 tunneling with Shorewall can be used to connect your IPv6 network - to another IPv6 network over an IPv4 infrastructure. + to another IPv6 network over an IPv4 infrastructure. It can also allow you + to experiment with IPv6 even if your ISP doesn't provide IPv6 + connectivity. More information on Linux and IPv6 can be found in the Linux IPv6 HOWTO. @@ -54,8 +51,244 @@ url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup of 6to4 tunnels. +
+ Getting your Feet Wet with IPv6, by Tom Eastep + + 6to4 tunnels provide a good way to introduce yourself to IPv6. + Shorewall6 was developed on a network whose only IPv6 connectivity was an + 6to4 Tunnel. What is shown in this section requires Shorewall6 4.2.4 or + later. + +
+ Configuring IPv6 + + I have created an init script to make the job of + configuring your firewall for IPv6 easier. The script is installed in + /etc/init.d and configures ipv6 at boot. The script works on OpenSuSE + 11.0 and may need modification for other distributions. On OpenSuSE, the + script is installed using the command 'chkconfig --add ipv6'. + + At the top of the script, you will see several variables: + + SIT="sit1" +INTERFACES="eth1" +ADDRESS=206.124.146.180 +SLA=0 + + + + SIT - The name of the tunnel device. Usually 'sit1' + + + + INTERFACES - local interfaces that you want to configure for + IPv6 + + + + ADDRESS - A static IPv4 address on your firewall that you want + to use for the tunnel. + + + + The identity of the first local sub-network that you want to + assign to the interfaces listed in INTERFACES. Normally zero + (0000). + + + + Here is the file from my firewall: + + SIT="sit1" +INTERFACES="eth0 eth2" +ADDRESS=206.124.146.180 +SLA=1 + + eth0 is the interface to my local network (both wired and + wireless). eth2 goes to my DMZ which holds a single server. + + + + Here is the configuration after IPv6 is configured; the part it + bold is configured by the /etc/init.d/ipv6 script. + + gateway:~ # ip -6 addr ls +1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 + inet6 2002:ce7c:92b4:1::2/64 scope global + valid_lft forever preferred_lft forever + inet6 fe80::202:e3ff:fe08:55fa/64 scope link + valid_lft forever preferred_lft forever +3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 + inet6 fe80::202:e3ff:fe08:484c/64 scope link + valid_lft forever preferred_lft forever +4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 + inet6 2002:ce7c:92b4:2::2/64 scope global + valid_lft forever preferred_lft forever + inet6 fe80::2a0:ccff:fed2:353a/64 scope link + valid_lft forever preferred_lft forever +24: sit1@NONE: <NOARP,UP,LOWER_UP> mtu 1480 + inet6 ::206.124.146.180/128 scope global + valid_lft forever preferred_lft forever + inet6 2002:ce7c:92b4::1/128 scope global + valid_lft forever preferred_lft forever +gateway:~ # ip -6 route ls +::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295 +2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295 +2002:ce7c:92b4:1::/64 dev eth0 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295 +2002:ce7c:92b4:2::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev eth0 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev eth1 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295 +default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295 +gateway:~ # + + You will notice that sit1, eth0 and eth2 each have an IPv6 address + beginning with 2002: -- All 6to4 IPv6 addresses have that in their most + significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4 + ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are + the proud owner of 280 IPv6 addresses! In the + case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each + interface in INTERFACES, 264 addresses; in + the case of eth0, 2002:ce7c:92b4:1::/64. + + I run radvd on + the firewall to automatically assign IPv6 addresses to hosts connected + to eth0 and eth1. Here is my /etc/radvd.conf + file: + + interface eth0 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 10; + prefix 2002:ce7c:92b4:1::/64 { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + + RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 { + AdvRDNSSOpen on; + AdvRDNSSPreference 2; + }; +}; + +interface eth2 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 10; + prefix 2002:ce7c:92b4:2::/64 { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + + RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 { + AdvRDNSSOpen on; + AdvRDNSSPreference 2; + }; +}; + + Here is the automatic IPv6 configuration on my server attached to + eth2: + + webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 addr ls +1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 + inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic + valid_lft 2591995sec preferred_lft 604795sec + inet6 fe80::2a0:ccff:fedb:31c4/64 scope link + valid_lft forever preferred_lft forever +webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 route ls +2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295 +fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295 +default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64 +webadmin@lists:~/ftpsite/contrib/IPv6> + + You will note that the public IPv6 address of eth2 was formed by + concatenating the prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) + and the lower 64 bits of the link level address of eth2 + (2a0:ccff:fedb:31c4). The default route is described using the link + level address of eth2 on the firewall (fe80::2a0:ccff:fed2:353a). +
+ +
+ Configuring Shorewall + + We need to add an entry in /etc/shorewall/tunnels: + + #TYPE ZONE GATEWAY GATEWAY +# ZONE +6to4 net +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +
+ +
+ Configuring Shorewall6 + + The Shorewall6 configuration on my firewall is a very basic + three-interface one. + + /etc/shorewall6/zones: + + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv6 +loc ipv6 +dmz ipv6 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + /etc/shorewall6/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net sit1 detect tcpflags,forward=1,nosmurfs +loc eth0 detect tcpflags,forward=1 +dmz eth2 detect tcpflags,forward=1 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + + /etc/shorewall6/policy: + + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +net all DROP info +loc net ACCEPT +dmz net ACCEPT +all all REJECT info + + /etc/shorewall6/rules: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT PORT(S) DEST LIMIT GROUP +# +# Accept DNS connections from the firewall to the network +# +DNS/ACCEPT $FW net +# +# Accept SSH connections from the local network for administration +# +SSH/ACCEPT loc $FW +# +# Allow Ping everywhere +# +Ping/ACCEPT all all + +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +
+
+
- Connecting two IPv6 Networks + Connecting two IPv6 Networks, by Eric de Thouars Suppose that we have the following situation: @@ -63,9 +296,9 @@ We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is - accomplished through use of the /etc/shorewall/tunnels - file and the ip utility for network interface and routing - configuration. + accomplished through use of the + /etc/shorewall/tunnels file and the ip + utility for network interface and routing configuration. Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, diff --git a/docs/images/Network2008b.dia b/docs/images/Network2008b.dia new file mode 100644 index 000000000..fa6fd75e4 Binary files /dev/null and b/docs/images/Network2008b.dia differ diff --git a/docs/images/Network2008b.dia~ b/docs/images/Network2008b.dia~ new file mode 100644 index 000000000..10e39e439 Binary files /dev/null and b/docs/images/Network2008b.dia~ differ diff --git a/docs/images/Network2008b.png b/docs/images/Network2008b.png new file mode 100644 index 000000000..e31de7e3f Binary files /dev/null and b/docs/images/Network2008b.png differ