mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 10:03:41 +01:00
de038dad1b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9270 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
422 lines
17 KiB
XML
422 lines
17 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>6to4 Tunnels</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Eric</firstname>
|
|
|
|
<surname>de Thouars</surname>
|
|
</author>
|
|
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2003-2004</year>
|
|
|
|
<year>2008</year>
|
|
|
|
<year>2009</year>
|
|
|
|
<holder>Eric de Thouars and Tom Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
|
to another IPv6 network over an IPv4 infrastructure. It can also allow you
|
|
to experiment with IPv6 even if your ISP doesn't provide IPv6
|
|
connectivity.</para>
|
|
|
|
<para>More information on Linux and IPv6 can be found in the <ulink
|
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
|
|
Details on how to setup a 6to4 tunnels are described in the section <ulink
|
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
|
of 6to4 tunnels</ulink>.</para>
|
|
|
|
<section id="FeetWet">
|
|
<title>Getting your Feet Wet with IPv6, by Tom Eastep</title>
|
|
|
|
<para>6to4 tunnels provide a good way to introduce yourself to IPv6.
|
|
<ulink url="IPv6Support.html">Shorewall6</ulink> was developed on a
|
|
network whose only IPv6 connectivity was an 6to4 Tunnel; that network is
|
|
described in the remainder of this section. What is shown here requires
|
|
Shorewall6 4.2.4 or later.</para>
|
|
|
|
<section>
|
|
<title>Configuring IPv6</title>
|
|
|
|
<para>I have created an init <ulink
|
|
url="/pub/shorewall/contrib/IPv6/ipv6">script</ulink> to make the job of
|
|
configuring your firewall for IPv6 easier.</para>
|
|
|
|
<para>The script is installed in /etc/init.d and configures ipv6,
|
|
including a 6to4 tunnel, at boot time. Note that the script is included
|
|
in the Shorewall6 distribution but is not installed in /etc/init.d by
|
|
default. The RPMs from shorewall.net, install the file in the package
|
|
documentation directory.</para>
|
|
|
|
<para>The script works on OpenSuSE 11.0 and may need modification for
|
|
other distributions. On OpenSuSE, the script is installed by copying it
|
|
to <filename>/etc/init.d/</filename> then running the command 'chkconfig
|
|
--add ipv6'.</para>
|
|
|
|
<para>At the top of the script, you will see several variables:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SIT - The name of the tunnel device. Usually 'sit1'</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>INTERFACES - local interfaces that you want to configure for
|
|
IPv6</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>ADDRESS4 - A static IPv4 address on your firewall that you
|
|
want to use for the tunnel.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SLA - The identity of the first local sub-network that you
|
|
want to assign to the interfaces listed in INTERFACES. Normally one
|
|
(0001).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>GATEWAY - The default IPv6 gateway. For 6to4, this is
|
|
::192.88.99.1.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Here is the file from my firewall:</para>
|
|
|
|
<programlisting>SIT="sit1"
|
|
ADDRESS4=206.124.146.180
|
|
INTERFACES="eth2 eth4"
|
|
SLA=1
|
|
GATEWAY=::192.88.99.1</programlisting>
|
|
|
|
<para>eth3 is the interface to my local network (both wired and
|
|
wireless). eth4 goes to my DMZ which holds a single server. Here is a
|
|
diagram of the IPv4 network:</para>
|
|
|
|
<graphic align="center" fileref="images/Network2009.png" />
|
|
|
|
<para>Here is the configuration after IPv6 is configured; the part in
|
|
bold font is configured by the /etc/init.d/ipv6 script.</para>
|
|
|
|
<programlisting>gateway:~ # ip -6 addr ls
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
|
inet6 ::1/128 scope host
|
|
valid_lft forever preferred_lft forever
|
|
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:1::1/64 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
inet6 fe80::202:e3ff:fe08:55fa/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
inet6 fe80::202:e3ff:fe08:484c/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2::1/64 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
inet6 fe80::2a0:ccff:fed2:353a/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
24: sit1@NONE: <NOARP,UP,LOWER_UP> mtu 1480
|
|
<emphasis role="bold"> inet6 ::206.124.146.180/128 scope global
|
|
valid_lft forever preferred_lft forever
|
|
inet6 2002:ce7c:92b4::1/128 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
gateway:~ # ip -6 route ls
|
|
<emphasis role="bold">::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
|
<emphasis role="bold">2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
|
2002:ce7c:92b4:1::/64 dev eth0 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
2002:ce7c:92b4:2::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 dev eth0 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev eth1 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
|
<emphasis role="bold">default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
|
gateway:~ # </programlisting>
|
|
|
|
<para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
|
|
beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
|
|
significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
|
|
ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
|
|
the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
|
|
case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
|
|
interface in INTERFACES, a subnet of 2<superscript>64</superscript>
|
|
addresses; in the case of eth0, 2002:ce7c:92b4:1::/64.</para>
|
|
|
|
<para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
|
|
the firewall to allow hosts conntected to eth0 and eth2 to automatically
|
|
perform their own IPv6 configuration. Here is my
|
|
<filename>/etc/radvd.conf</filename> file:</para>
|
|
|
|
<programlisting>interface eth0 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 3;
|
|
MaxRtrAdvInterval 10;
|
|
prefix 2002:ce7c:92b4:1::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
|
AdvRDNSSOpen on;
|
|
AdvRDNSSPreference 2;
|
|
};
|
|
};
|
|
|
|
interface eth2 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 3;
|
|
MaxRtrAdvInterval 10;
|
|
prefix 2002:ce7c:92b4:2::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
|
AdvRDNSSOpen on;
|
|
AdvRDNSSPreference 2;
|
|
};
|
|
};</programlisting>
|
|
|
|
<note>
|
|
<para>radvd terminates immediately if IPv6 forwarding is not enabled.
|
|
So it is a good idea to include this in<filename>
|
|
/etc/sysctl.conf</filename>:</para>
|
|
|
|
<programlisting>net.ipv6.conf.all.forwarding = 1</programlisting>
|
|
|
|
<para>That way, if radvd starts before Shorewall6, it will continue to
|
|
run.</para>
|
|
|
|
<para>An alternative is to modify
|
|
<filename>/etc/init.d/radvd</filename> so that radvd starts after
|
|
Shorewall6:</para>
|
|
|
|
<programlisting># Should-Start: shorewall6</programlisting>
|
|
</note>
|
|
|
|
<para>Here is the automatic IPv6 configuration on my server attached to
|
|
eth2:</para>
|
|
|
|
<programlisting>webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 addr ls
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
|
inet6 ::1/128 scope host
|
|
valid_lft forever preferred_lft forever
|
|
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic
|
|
valid_lft 2591995sec preferred_lft 604795sec</emphasis>
|
|
inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 route ls
|
|
<emphasis role="bold">2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
<emphasis role="bold">default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
|
|
webadmin@lists:~/ftpsite/contrib/IPv6> </programlisting>
|
|
|
|
<para>You will note that the public IPv6 address of eth2
|
|
(2002:ce7c:92b4:2:2a0:ccff:fedb:31c4) was formed by concatenating the
|
|
prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) and the lower 64
|
|
bits of the link level address of eth2 (2a0:ccff:fedb:31c4). You will
|
|
also notice that the address 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 appears
|
|
in the RDNSS clauses in radvd.conf; that causes my server to be
|
|
automatically configured as a DNS server.</para>
|
|
|
|
<para>The default route is described using the link level address of
|
|
eth2 on the firewall (fe80::2a0:ccff:fed2:353a).</para>
|
|
|
|
<para>On my laptop, ursa:</para>
|
|
|
|
<programlisting>ursa:~ # ip -6 addr ls dev eth0
|
|
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:1:21a:24ff:fecb:2bcc/64 scope global dynamic
|
|
valid_lft 2591996sec preferred_lft 604796sec</emphasis>
|
|
inet6 fe80::21a:73ff:fedb:8c35/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
ursa:~ # ip -6 route ls dev eth0
|
|
<emphasis role="bold">2002:ce7c:92b4:1::/64 proto kernel metric 256 expires 2592160sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 metric 256 expires 21314573sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
<emphasis role="bold">default via fe80::202:e3ff:fe08:55fa proto kernel metric 1024 expires 28sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
|
|
ursa:~ #</programlisting>
|
|
|
|
<para>Here is the resulting simple IPv6 Network:</para>
|
|
|
|
<graphic align="center" fileref="images/Network2008c.png" />
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuring Shorewall</title>
|
|
|
|
<para>We need to add an entry in /etc/shorewall/tunnels and restart
|
|
Shorewall:</para>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
|
# ZONE
|
|
6to4 net
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuring Shorewall6</title>
|
|
|
|
<para><emphasis role="bold">STOP</emphasis> -- If you have followed the
|
|
instructions above, you should have a completely functional IPv6
|
|
network. Try:</para>
|
|
|
|
<programlisting>ping6 2001:19f0:feee::dead:beef:cafe
|
|
</programlisting>
|
|
|
|
<para>If that doesn't work from your firewall and from any local IPv6
|
|
systems that you have behind your firewall, do not go any further until
|
|
it does work. If you ask for help from the Shorewall team, the first
|
|
question we will ask is 'With Shorewall6 cleared, can you ping6
|
|
2001:19f0:feee::dead:beef:cafe?'.</para>
|
|
|
|
<para>The Shorewall6 configuration on my firewall is a very basic
|
|
three-interface one.</para>
|
|
|
|
<para>Key entry in
|
|
<filename>/etc/shorewall6/shorewall6.conf</filename>:</para>
|
|
|
|
<programlisting>IP_FORWARDING=On</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
fw firewall
|
|
net ipv6
|
|
loc ipv6
|
|
dmz ipv6
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net sit1 detect tcpflags,forward=1,nosmurfs
|
|
loc eth0 detect tcpflags,forward=1
|
|
dmz eth2 detect tcpflags,forward=1
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
net all DROP info
|
|
loc net ACCEPT
|
|
dmz net ACCEPT
|
|
all all REJECT info</programlisting>
|
|
|
|
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
#
|
|
# Accept DNS connections from the firewall to the network
|
|
#
|
|
DNS/ACCEPT $FW net
|
|
#
|
|
# Accept SSH connections from the local network for administration
|
|
#
|
|
SSH/ACCEPT loc $FW
|
|
#
|
|
# Allow Ping everywhere
|
|
#
|
|
Ping/ACCEPT all all
|
|
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="Tunnel6to4">
|
|
<title>Connecting two IPv6 Networks, by Eric de Thouars</title>
|
|
|
|
<para>Suppose that we have the following situation:</para>
|
|
|
|
<graphic fileref="images/TwoIPv6Nets1.png" />
|
|
|
|
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
|
communicate with the systems in the 2002:488:999::/64 network. This is
|
|
accomplished through use of the
|
|
<filename>/etc/shorewall/tunnels</filename> file and the <quote>ip</quote>
|
|
utility for network interface and routing configuration.</para>
|
|
|
|
<para>Unlike GRE and IPIP tunneling, the
|
|
<filename>/etc/shorewall/policy</filename>,
|
|
<filename>/etc/shorewall/interfaces</filename> and
|
|
<filename>/etc/shorewall/zones</filename> files are not used. There is no
|
|
need to declare a zone to represent the remote IPv6 network. This remote
|
|
network is not visible on IPv4 interfaces and to iptables. All that is
|
|
visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
|
|
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
|
|
this traffic.</para>
|
|
|
|
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
|
|
the following:</para>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
6to4 net 134.28.54.2</programlisting>
|
|
|
|
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
|
|
firewall so that the IPv6 encapsulation protocol (41) will be accepted
|
|
to/from the remote gateway.</para>
|
|
|
|
<para>Use the following commands to setup system A:</para>
|
|
|
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
|
|
><command>ip link set dev tun6to4 up</command>
|
|
><command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
|
|
><command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
|
|
|
|
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
|
|
B we have:</para>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
6to4 net 206.191.148.9</programlisting>
|
|
|
|
<para>And use the following commands to setup system B:</para>
|
|
|
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
|
|
><command>ip link set dev tun6to4 up</command>
|
|
><command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
|
|
><command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
|
|
|
|
<para>On both systems, restart Shorewall and issue the configuration
|
|
commands as listed above. The systems in both IPv6 subnetworks can now
|
|
talk to each other using IPv6.</para>
|
|
</section>
|
|
</article>
|