w00t: IPv6, here I come…
After some tinkering today, I managed to figure out the wonderous black art that is IPv6. Now I get to discover the Internet that IPv4 user’s don’t see.
How does one get hooked up to IPv6? Well, if your ISP doesn’t support it, then you have to establish an IPv6-in-IPv4 tunnel with an IPv6 broker. Since I’m in Australia, naturally, I set up an account with AARNet, and requested a tunnel through them.
Gentoo have a nice little guide, that steps users through setting up with either 6Bone or Freenet6… however it seems AARNet do things slightly differently.
The way I set things up was as follows…
Connecting a host to IPv6 via AARNet
Before we start, you’ll want to make sure you’ve got IPv6 support in your kernel. If you see a directory called /proc/sys/net/ipv6, then chances are good, you’ve got what it takes. 
First, create an account. This is the username and password you’ll use to request the tunnel later. You’ll be emailed a system generated password. You only get one, and there’s no password changing facility (that I can see), so it would be adventageous to keep this email safe.
Next, fill out this form. If you’re just wanting to hook up a single host, then ignore the “Request for /48 prefix”. Otherwise, you’ll need to check that box — in the “Interface Name” field, enter the interface name for your internal LAN interface (e.g. eth1 in my case). You’ll then be asked for your username and password before downloading a setup shell script (linux.sh if you selected Linux).
Now, Place this linux.sh somewhere convenient. I stuffed it into /etc/setup-ipv6. This script is what you’ll use to establish the tunnel. I call it from my /etc/conf.d/local.start (rc.local for those playing along with other distributions), so my tunnel is established at boot.
Right, with that over, it’s now time to install the tools necessary. On Gentoo, simply USE=ipv6 emerge iputils iproute2 freenet6 — Freenet6 use the exact same tools. Other distributions, AARNet provide the tools from their front page. You’ll also want iproute2, and a version of iputils with IPv6 support.
Gentoo users may find it adventageous to set USE=ipv6 in their /etc/make.conf, and update their system so that they can make use of IPv6 support in any applications able to utilise it.
Lastly, we need to configure tspc, the tunnel client. On Gentoo, edit /etc/freenet6/tspc.conf (just hack up the example config). Place in there, the username and password you were given from AARNet, and down the bottom, change the server= line to read broker.aarnet.net.au. You’ll also want to edit the linux.sh file, to make sure the directories mentioned are correct, in particular, TSP_HOME_DIR should point to the directory containing tspc.conf.
And now we’re ready to bring up the tunnel. Run sh linux.sh (or whatever you ended up calling it). You should see something like this…
(23:32) www ~ # /etc/setup-ipv6 --- Start of configuration script. --- Script: setup-ipv6 sit1 setup Setting up link to 202.158.196.131 This host is: 2001:0388:f000:0000:0000:0000:0000:0279/ Adding default route Router configuration Kernel setup net.ipv6.conf.all.forwarding = 1 Adding prefix to eth1 Starting radvd: /usr/sbin/radvd -u radvd -C /etc/freenet6/tsprtadvd.conf --- End of configuration script. --- (23:32) www ~ # _
You’re now running IPv6. Go on, get out there… explore. To check you’re really browsing IPv6, try pointing an IRC client at irc.ipv6.freenode.net (Ohh, and don’t forget to pop in to one of the Gentoo channels and say Hi ;-)), or point your web browser at the KAME website. If you’re running IPv6, their tortise should be dancing (it’s an animated GIF). You can also try pinging various sites such as irc.ipv6.freenode.net or www.kame.net using the ping6 utility.
Sharing the love
So, suppose you asked for a /48 prefix, and you’ve got a bunch of machines sitting behind the router that you want on IPv6 too. Easy fixed. You’ve got a couple of options. One is to set up dhcpv6, or the other, is to simply use radvd. The latter works out of the box, the tunnel script automatically configures radvd for you.
On Gentoo, simply emerge radvd. Then restart your tunnel script. It should start radvd, and within a few seconds, the other machines on your network should receive the route/adressing advertisments, and automatically configure themselves for IPv6.
This is only half of the story though … You then have to enable IP forwarding on your server. (Sound familiar? Should do… same as IPv4).
Simply run echo 1 > /proc/sys/net/ipv6/conf/default/forwarding, and you should see the packets start flowing.
Keeping the nasties out
Now that you’ve got routing set up, it’s time to lay down the law regarding firewall rules. Quite obviously, you don’t want the outside riffraff upsetting your delicate hardware unless it’s got a specific invitation to do so. Make sure you’ve got netfilter6 support in your kernel, and the ip6tables utility. (distributed with iptables)
At the moment, there’s no connection tracking in IPv6, nor is there any network address translation (which is unnecessary on IPv6 anyways). The following is what I use for my firewalling rules, adapt to taste.
# Generated by ip6tables-save v1.3.2 on Sun Sep 11 23:57:08 2005 *mangle :PREROUTING ACCEPT [16827:6712869] :INPUT ACCEPT [1297:98415] :FORWARD ACCEPT [15530:6614454] :OUTPUT ACCEPT [1629:131392] :POSTROUTING ACCEPT [17230:6752830] COMMIT # Completed on Sun Sep 11 23:57:08 2005 # Generated by ip6tables-save v1.3.2 on Sun Sep 11 23:57:08 2005 *filter # By default, drop anything comming in or through us. :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow all ICMP traffic -A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT # Local LAN interfaces (note, since I'm behind an ADSL router, all my interfaces are private, except sit1) -A INPUT -s ::/0 -d ::/0 -i eth+ -j ACCEPT # Allow SSH and IRC connections (I'd open more, but I'll need DNS working first) -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 6667 -j ACCEPT # Forwarding rules... # Allow internal traffic OUT -A FORWARD -s ::/0 -d ::/0 -i eth+ -j ACCEPT # Allow established connections back IN -A FORWARD -s ::/0 -d ::/0 -i sit1 -o eth+ -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT # Allow ICMP traffic -A FORWARD -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT # Log anything else -A FORWARD -s ::/0 -d ::/0 -j LOG --log-prefix "FORWARD IPv6: " COMMIT # Completed on Sun Sep 11 23:57:08 2005
It’s a crude firewall, but it works.
The above guide, is far from being perfect, but hopefully my notes above will assist others in migrating to IPv6.