mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Update 6to4 article
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
814d0761ba
commit
a8a5021d84
253
docs/6to4.xml
253
docs/6to4.xml
@ -40,13 +40,10 @@
|
|||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<warning>
|
|
||||||
<para>The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4
|
|
||||||
tunneling. It does not provide any IPv6 security measures.</para>
|
|
||||||
</warning>
|
|
||||||
|
|
||||||
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
||||||
to another IPv6 network over an IPv4 infrastructure.</para>
|
to another IPv6 network over an IPv4 infrastructure. It can also allow you
|
||||||
|
to experiment with IPv6 even if your ISP doesn't provide IPv6
|
||||||
|
connectivity.</para>
|
||||||
|
|
||||||
<para>More information on Linux and IPv6 can be found in the <ulink
|
<para>More information on Linux and IPv6 can be found in the <ulink
|
||||||
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
|
||||||
@ -54,8 +51,244 @@
|
|||||||
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
||||||
of 6to4 tunnels</ulink>.</para>
|
of 6to4 tunnels</ulink>.</para>
|
||||||
|
|
||||||
|
<section id="FeetWet">
|
||||||
|
<title>Getting your Feet Wet with IPv6, by Tom Eastep</title>
|
||||||
|
|
||||||
|
<para>6to4 tunnels provide a good way to introduce yourself to IPv6.
|
||||||
|
Shorewall6 was developed on a network whose only IPv6 connectivity was an
|
||||||
|
6to4 Tunnel. What is shown in this section requires Shorewall6 4.2.4 or
|
||||||
|
later.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Configuring IPv6</title>
|
||||||
|
|
||||||
|
<para>I have created an init <ulink
|
||||||
|
url="/pub/shorewall/contrib/IPv6/ipv6">script</ulink> to make the job of
|
||||||
|
configuring your firewall for IPv6 easier. The script is installed in
|
||||||
|
/etc/init.d and configures ipv6 at boot. The script works on OpenSuSE
|
||||||
|
11.0 and may need modification for other distributions. On OpenSuSE, the
|
||||||
|
script is installed using the command 'chkconfig --add ipv6'.</para>
|
||||||
|
|
||||||
|
<para>At the top of the script, you will see several variables:</para>
|
||||||
|
|
||||||
|
<programlisting>SIT="sit1"
|
||||||
|
INTERFACES="eth1"
|
||||||
|
ADDRESS=206.124.146.180
|
||||||
|
SLA=0</programlisting>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>SIT - The name of the tunnel device. Usually 'sit1'</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>INTERFACES - local interfaces that you want to configure for
|
||||||
|
IPv6</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>ADDRESS - A static IPv4 address on your firewall that you want
|
||||||
|
to use for the tunnel.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The identity of the first local sub-network that you want to
|
||||||
|
assign to the interfaces listed in INTERFACES. Normally zero
|
||||||
|
(0000).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>Here is the file from my firewall:</para>
|
||||||
|
|
||||||
|
<programlisting>SIT="sit1"
|
||||||
|
INTERFACES="eth0 eth2"
|
||||||
|
ADDRESS=206.124.146.180
|
||||||
|
SLA=1</programlisting>
|
||||||
|
|
||||||
|
<para>eth0 is the interface to my local network (both wired and
|
||||||
|
wireless). eth2 goes to my DMZ which holds a single server.</para>
|
||||||
|
|
||||||
|
<graphic fileref="images/Network2008b.png" />
|
||||||
|
|
||||||
|
<para>Here is the configuration after IPv6 is configured; the part it
|
||||||
|
bold is configured by the /etc/init.d/ipv6 script.</para>
|
||||||
|
|
||||||
|
<programlisting>gateway:~ # ip -6 addr ls
|
||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
||||||
|
inet6 ::1/128 scope host
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||||
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:1::2/64 scope global
|
||||||
|
valid_lft forever preferred_lft forever</emphasis>
|
||||||
|
inet6 fe80::202:e3ff:fe08:55fa/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||||
|
inet6 fe80::202:e3ff:fe08:484c/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||||
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2::2/64 scope global
|
||||||
|
valid_lft forever preferred_lft forever</emphasis>
|
||||||
|
inet6 fe80::2a0:ccff:fed2:353a/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
24: sit1@NONE: <NOARP,UP,LOWER_UP> mtu 1480
|
||||||
|
<emphasis role="bold"> inet6 ::206.124.146.180/128 scope global
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 2002:ce7c:92b4::1/128 scope global
|
||||||
|
valid_lft forever preferred_lft forever</emphasis>
|
||||||
|
gateway:~ # ip -6 route ls
|
||||||
|
<emphasis role="bold">::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
||||||
|
<emphasis role="bold">2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
||||||
|
2002:ce7c:92b4:1::/64 dev eth0 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
2002:ce7c:92b4:2::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
||||||
|
fe80::/64 dev eth0 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
fe80::/64 dev eth1 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
||||||
|
<emphasis role="bold">default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
||||||
|
gateway:~ # </programlisting>
|
||||||
|
|
||||||
|
<para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
|
||||||
|
beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
|
||||||
|
significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
|
||||||
|
ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
|
||||||
|
the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
|
||||||
|
case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
|
||||||
|
interface in INTERFACES, 2<superscript>64</superscript> addresses; in
|
||||||
|
the case of eth0, 2002:ce7c:92b4:1::/64.</para>
|
||||||
|
|
||||||
|
<para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
|
||||||
|
the firewall to automatically assign IPv6 addresses to hosts connected
|
||||||
|
to eth0 and eth1. Here is my <filename>/etc/radvd.conf</filename>
|
||||||
|
file:</para>
|
||||||
|
|
||||||
|
<programlisting>interface eth0 {
|
||||||
|
AdvSendAdvert on;
|
||||||
|
MinRtrAdvInterval 3;
|
||||||
|
MaxRtrAdvInterval 10;
|
||||||
|
prefix 2002:ce7c:92b4:1::/64 {
|
||||||
|
AdvOnLink on;
|
||||||
|
AdvAutonomous on;
|
||||||
|
AdvRouterAddr off;
|
||||||
|
};
|
||||||
|
|
||||||
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
||||||
|
AdvRDNSSOpen on;
|
||||||
|
AdvRDNSSPreference 2;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
interface eth2 {
|
||||||
|
AdvSendAdvert on;
|
||||||
|
MinRtrAdvInterval 3;
|
||||||
|
MaxRtrAdvInterval 10;
|
||||||
|
prefix 2002:ce7c:92b4:2::/64 {
|
||||||
|
AdvOnLink on;
|
||||||
|
AdvAutonomous on;
|
||||||
|
AdvRouterAddr off;
|
||||||
|
};
|
||||||
|
|
||||||
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
||||||
|
AdvRDNSSOpen on;
|
||||||
|
AdvRDNSSPreference 2;
|
||||||
|
};
|
||||||
|
};</programlisting>
|
||||||
|
|
||||||
|
<para>Here is the automatic IPv6 configuration on my server attached to
|
||||||
|
eth2:</para>
|
||||||
|
|
||||||
|
<programlisting>webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 addr ls
|
||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
||||||
|
inet6 ::1/128 scope host
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||||
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic
|
||||||
|
valid_lft 2591995sec preferred_lft 604795sec</emphasis>
|
||||||
|
inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 route ls
|
||||||
|
<emphasis role="bold">2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
||||||
|
fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
|
||||||
|
<emphasis role="bold">default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
|
||||||
|
webadmin@lists:~/ftpsite/contrib/IPv6> </programlisting>
|
||||||
|
|
||||||
|
<para>You will note that the public IPv6 address of eth2 was formed by
|
||||||
|
concatenating the prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2)
|
||||||
|
and the lower 64 bits of the link level address of eth2
|
||||||
|
(2a0:ccff:fedb:31c4). The default route is described using the link
|
||||||
|
level address of eth2 on the firewall (fe80::2a0:ccff:fed2:353a).</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Configuring Shorewall</title>
|
||||||
|
|
||||||
|
<para>We need to add an entry in /etc/shorewall/tunnels:</para>
|
||||||
|
|
||||||
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||||
|
# ZONE
|
||||||
|
6to4 net
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Configuring Shorewall6</title>
|
||||||
|
|
||||||
|
<para>The Shorewall6 configuration on my firewall is a very basic
|
||||||
|
three-interface one.</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||||
|
# OPTIONS OPTIONS
|
||||||
|
fw firewall
|
||||||
|
net ipv6
|
||||||
|
loc ipv6
|
||||||
|
dmz ipv6
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net sit1 detect tcpflags,forward=1,nosmurfs
|
||||||
|
loc eth0 detect tcpflags,forward=1
|
||||||
|
dmz eth2 detect tcpflags,forward=1
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
net all DROP info
|
||||||
|
loc net ACCEPT
|
||||||
|
dmz net ACCEPT
|
||||||
|
all all REJECT info</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#
|
||||||
|
# Accept DNS connections from the firewall to the network
|
||||||
|
#
|
||||||
|
DNS/ACCEPT $FW net
|
||||||
|
#
|
||||||
|
# Accept SSH connections from the local network for administration
|
||||||
|
#
|
||||||
|
SSH/ACCEPT loc $FW
|
||||||
|
#
|
||||||
|
# Allow Ping everywhere
|
||||||
|
#
|
||||||
|
Ping/ACCEPT all all
|
||||||
|
|
||||||
|
#
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section id="Tunnel6to4">
|
<section id="Tunnel6to4">
|
||||||
<title>Connecting two IPv6 Networks</title>
|
<title>Connecting two IPv6 Networks, by Eric de Thouars</title>
|
||||||
|
|
||||||
<para>Suppose that we have the following situation:</para>
|
<para>Suppose that we have the following situation:</para>
|
||||||
|
|
||||||
@ -63,9 +296,9 @@
|
|||||||
|
|
||||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||||
accomplished through use of the <filename>/etc/shorewall/tunnels</filename>
|
accomplished through use of the
|
||||||
file and the <quote>ip</quote> utility for network interface and routing
|
<filename>/etc/shorewall/tunnels</filename> file and the <quote>ip</quote>
|
||||||
configuration.</para>
|
utility for network interface and routing configuration.</para>
|
||||||
|
|
||||||
<para>Unlike GRE and IPIP tunneling, the
|
<para>Unlike GRE and IPIP tunneling, the
|
||||||
<filename>/etc/shorewall/policy</filename>,
|
<filename>/etc/shorewall/policy</filename>,
|
||||||
|
BIN
docs/images/Network2008b.dia
Normal file
BIN
docs/images/Network2008b.dia
Normal file
Binary file not shown.
BIN
docs/images/Network2008b.dia~
Normal file
BIN
docs/images/Network2008b.dia~
Normal file
Binary file not shown.
BIN
docs/images/Network2008b.png
Normal file
BIN
docs/images/Network2008b.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 83 KiB |
Loading…
x
Reference in New Issue
Block a user