shorewall_code/docs/6to4.xml

422 lines
17 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>6to4 Tunnels</title>
<authorgroup>
<author>
<firstname>Eric</firstname>
<surname>de Thouars</surname>
</author>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2003-2004</year>
<year>2008</year>
<year>2009</year>
<holder>Eric de Thouars and Tom Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure. It can also allow you
to experiment with IPv6 even if your ISP doesn't provide IPv6
connectivity.</para>
<para>More information on Linux and IPv6 can be found in the <ulink
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
Details on how to setup a 6to4 tunnels are described in the section <ulink
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</ulink>.</para>
<section id="FeetWet">
<title>Getting your Feet Wet with IPv6, by Tom Eastep</title>
<para>6to4 tunnels provide a good way to introduce yourself to IPv6.
<ulink url="IPv6Support.html">Shorewall6</ulink> was developed on a
network whose only IPv6 connectivity was an 6to4 Tunnel; that network is
described in the remainder of this section. What is shown here requires
Shorewall6 4.2.4 or later.</para>
<section>
<title>Configuring IPv6</title>
<para>I have created an init <ulink
url="/pub/shorewall/contrib/IPv6/ipv6">script</ulink> to make the job of
configuring your firewall for IPv6 easier.</para>
<para>The script is installed in /etc/init.d and configures ipv6,
including a 6to4 tunnel, at boot time. Note that the script is included
in the Shorewall6 distribution but is not installed in /etc/init.d by
default. The RPMs from shorewall.net, install the file in the package
documentation directory.</para>
<para>The script works on OpenSuSE 11.0 and may need modification for
other distributions. On OpenSuSE, the script is installed by copying it
to <filename>/etc/init.d/</filename> then running the command 'chkconfig
--add ipv6'.</para>
<para>At the top of the script, you will see several variables:</para>
<itemizedlist>
<listitem>
<para>SIT - The name of the tunnel device. Usually 'sit1'</para>
</listitem>
<listitem>
<para>INTERFACES - local interfaces that you want to configure for
IPv6</para>
</listitem>
<listitem>
<para>ADDRESS4 - A static IPv4 address on your firewall that you
want to use for the tunnel.</para>
</listitem>
<listitem>
<para>SLA - The identity of the first local sub-network that you
want to assign to the interfaces listed in INTERFACES. Normally one
(0001).</para>
</listitem>
<listitem>
<para>GATEWAY - The default IPv6 gateway. For 6to4, this is
::192.88.99.1.</para>
</listitem>
</itemizedlist>
<para>Here is the file from my firewall:</para>
<programlisting>SIT="sit1"
ADDRESS4=206.124.146.180
INTERFACES="eth2 eth4"
SLA=1
GATEWAY=::192.88.99.1</programlisting>
<para>eth2 is the interface to my local network (both wired and
wireless). eth4 goes to my DMZ which holds a single server. Here is a
diagram of the IPv4 network:</para>
<graphic align="center" fileref="images/Network2009.png" />
<para>Here is the configuration after IPv6 is configured; the part in
bold font is configured by the /etc/init.d/ipv6 script.</para>
<programlisting>gateway:~ # ip -6 addr ls
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold"> inet6 2002:ce7c:92b4:1::1/64 scope global
valid_lft forever preferred_lft forever</emphasis>
inet6 fe80::202:e3ff:fe08:55fa/64 scope link
valid_lft forever preferred_lft forever
3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
inet6 fe80::202:e3ff:fe08:484c/64 scope link
valid_lft forever preferred_lft forever
4: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold"> inet6 2002:ce7c:92b4:2::1/64 scope global
valid_lft forever preferred_lft forever</emphasis>
inet6 fe80::2a0:ccff:fed2:353a/64 scope link
valid_lft forever preferred_lft forever
24: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480
<emphasis role="bold"> inet6 ::206.124.146.180/128 scope global
valid_lft forever preferred_lft forever
inet6 2002:ce7c:92b4::1/128 scope global
valid_lft forever preferred_lft forever</emphasis>
gateway:~ # ip -6 route ls
<emphasis role="bold">::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
<emphasis role="bold">2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
2002:ce7c:92b4:1::/64 dev eth0 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
2002:ce7c:92b4:2::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64 dev eth0 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
<emphasis role="bold">default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
gateway:~ # </programlisting>
<para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
interface in INTERFACES, a subnet of 2<superscript>64</superscript>
addresses; in the case of eth0, 2002:ce7c:92b4:1::/64.</para>
<para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
the firewall to allow hosts conntected to eth0 and eth2 to automatically
perform their own IPv6 configuration. Here is my
<filename>/etc/radvd.conf</filename> file:</para>
<programlisting>interface eth0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2002:ce7c:92b4:1::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
AdvRDNSSOpen on;
AdvRDNSSPreference 2;
};
};
interface eth2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2002:ce7c:92b4:2::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
AdvRDNSSOpen on;
AdvRDNSSPreference 2;
};
};</programlisting>
<note>
<para>radvd terminates immediately if IPv6 forwarding is not enabled.
So it is a good idea to include this in<filename>
/etc/sysctl.conf</filename>:</para>
<programlisting>net.ipv6.conf.all.forwarding = 1</programlisting>
<para>That way, if radvd starts before Shorewall6, it will continue to
run.</para>
<para>An alternative is to modify
<filename>/etc/init.d/radvd</filename> so that radvd starts after
Shorewall6:</para>
<programlisting># Should-Start: shorewall6</programlisting>
</note>
<para>Here is the automatic IPv6 configuration on my server attached to
eth2:</para>
<programlisting>webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 addr ls
1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold"> inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic
valid_lft 2591995sec preferred_lft 604795sec</emphasis>
inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
valid_lft forever preferred_lft forever
webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 route ls
<emphasis role="bold">2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
<emphasis role="bold">default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
webadmin@lists:~/ftpsite/contrib/IPv6&gt; </programlisting>
<para>You will note that the public IPv6 address of eth2
(2002:ce7c:92b4:2:2a0:ccff:fedb:31c4) was formed by concatenating the
prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) and the lower 64
bits of the link level address of eth2 (2a0:ccff:fedb:31c4). You will
also notice that the address 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 appears
in the RDNSS clauses in radvd.conf; that causes my server to be
automatically configured as a DNS server.</para>
<para>The default route is described using the link level address of
eth2 on the firewall (fe80::2a0:ccff:fed2:353a).</para>
<para>On my laptop, ursa:</para>
<programlisting>ursa:~ # ip -6 addr ls dev eth0
3: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
<emphasis role="bold"> inet6 2002:ce7c:92b4:1:21a:24ff:fecb:2bcc/64 scope global dynamic
valid_lft 2591996sec preferred_lft 604796sec</emphasis>
inet6 fe80::21a:73ff:fedb:8c35/64 scope link
valid_lft forever preferred_lft forever
ursa:~ # ip -6 route ls dev eth0
<emphasis role="bold">2002:ce7c:92b4:1::/64 proto kernel metric 256 expires 2592160sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
fe80::/64 metric 256 expires 21314573sec mtu 1500 advmss 1440 hoplimit 4294967295
<emphasis role="bold">default via fe80::202:e3ff:fe08:55fa proto kernel metric 1024 expires 28sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
ursa:~ #</programlisting>
<para>Here is the resulting simple IPv6 Network:</para>
<graphic align="center" fileref="images/Network2008c.png" />
</section>
<section>
<title>Configuring Shorewall</title>
<para>We need to add an entry in /etc/shorewall/tunnels and restart
Shorewall:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
6to4 net
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</section>
<section>
<title>Configuring Shorewall6</title>
<para><emphasis role="bold">STOP</emphasis> -- If you have followed the
instructions above, you should have a completely functional IPv6
network. Try:</para>
<programlisting>ping6 2001:19f0:feee::dead:beef:cafe
</programlisting>
<para>If that doesn't work from your firewall and from any local IPv6
systems that you have behind your firewall, do not go any further until
it does work. If you ask for help from the Shorewall team, the first
question we will ask is 'With Shorewall6 cleared, can you ping6
2001:19f0:feee::dead:beef:cafe?'.</para>
<para>The Shorewall6 configuration on my firewall is a very basic
three-interface one.</para>
<para>Key entry in
<filename>/etc/shorewall6/shorewall6.conf</filename>:</para>
<programlisting>IP_FORWARDING=On</programlisting>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv6
loc ipv6
dmz ipv6
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net sit1 detect tcpflags,forward=1,nosmurfs
loc eth0 detect tcpflags,forward=1
dmz eth2 detect tcpflags,forward=1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall6/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
net all DROP info
loc net ACCEPT
dmz net ACCEPT
all all REJECT info</programlisting>
<para><filename>/etc/shorewall6/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping everywhere
#
Ping/ACCEPT all all
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</section>
</section>
<section id="Tunnel6to4">
<title>Connecting two IPv6 Networks, by Eric de Thouars</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoIPv6Nets1.png" />
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
accomplished through use of the
<filename>/etc/shorewall/tunnels</filename> file and the <quote>ip</quote>
utility for network interface and routing configuration.</para>
<para>Unlike GRE and IPIP tunneling, the
<filename>/etc/shorewall/policy</filename>,
<filename>/etc/shorewall/interfaces</filename> and
<filename>/etc/shorewall/zones</filename> files are not used. There is no
need to declare a zone to represent the remote IPv6 network. This remote
network is not visible on IPv4 interfaces and to iptables. All that is
visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic.</para>
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 134.28.54.2</programlisting>
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
firewall so that the IPv6 encapsulation protocol (41) will be accepted
to/from the remote gateway.</para>
<para>Use the following commands to setup system A:</para>
<programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
&gt;<command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
B we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 206.191.148.9</programlisting>
<para>And use the following commands to setup system B:</para>
<programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
&gt;<command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
<para>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
talk to each other using IPv6.</para>
</section>
</article>