Ryan Finnie

Blog Post

Article posted on Apr 30

IPv6: Living in the future, etc, etc

  • Posted by Ryan Finnie on April 30, 2010, 7:48 pm

Well, it's 2010, and I'm finally living in The Future. I now have an ISP that is offering native IPv6, my colo provider. I switched over my irssi connections to make sure all IPv6-capable IRC networks are connecting via IPv6. (OFTC, Foonetic, Coldfront, Freenode -- sadly, Slashnet is the only one without an IPv6 server.) I have also added AAAA records to many of my hosted domains, such as finnie.org, finnix.org, x11r5.com, velociraptors.info and hampr.com. Also, I can reasonably assume I am running the world's only IPv6 TCPMUX server.

While I do not have native IPv6 at home, I am using Hurricane Electric's Tunnel Broker service. I'm not going to go into details on how to set this up, but I do want to stress the importance of firewalling IPv6. In the IPv4 world, NAT is used as a security crutch. In "The Future", when everything is IPv6, NAT will be irrelevant, but because of that, firewalling is that much more important. If you use a IPv6 tunneling service, be sure your internal LAN (which then becomes an external LAN) is properly firewalled.

In Linux, this requires the use of ip6tables. I personally use a simple setup, allowing outbound traffic, inbound ICMP, inbound SSH and a few select inbound services to individual machines. I've included my ip6tables config below.

# Set a default DROP policy.  Note that this only affects IPv6 traffic,
# it does not affect the regular iptables FORWARD policy.
ip6tables -P FORWARD DROP
# Allow any outbound traffic from your local LAN (2001:470:1f05:22e::/64). 
# Replace "hetunnel" with your tunnel/outbound interface (or leave it off,
# though it helps prevent possible spoofing).
ip6tables -A FORWARD -s 2001:470:1f05:22e::/64 -o hetunnel -j ACCEPT
# Allow any established inbound or outbound traffic.
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP inbound.  "ipv6-icmp" is required for ip6tables here.
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
# Allow SSH inbound to any host.
ip6tables -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow µTorrent inbound tcp/udp, to my Vista machine in this case.
ip6tables -A FORWARD -p tcp -d 2001:470:1f05:22e:24c3:ff01:e72a:3487 \
  --dport 30173 -m state --state NEW -j ACCEPT
ip6tables -A FORWARD -p udp -d 2001:470:1f05:22e:24c3:ff01:e72a:3487 \
  --dport 30173 -m state --state NEW -j ACCEPT
  • 1 Comment
  • Posted in Uncategorized

One Response to “IPv6: Living in the future, etc, etc”

  1. IPv6 in the Finnie » Ryan Finnie says:
    February 3, 2011 at 11:24 pm

    [...] The DNS server is listening on IPv6. The 2ping listener on colobox was of course designed to be IPv6 aware from the start. And I am still pretty sure I am running the only IPv6 enabled TCPMUX server on the Internet. [...]

    Reply

Leave a Reply

Click here to cancel reply.

If you have an OpenID, you may fill it in here. If your OpenID provider provides a name and email, those values will be used instead of the values here. Learn more about OpenID or find an OpenID provider.

« External temperature monitoring with Linux
HOWTO: Delete a 3ware DCB »

Ryan Finnie

  • Résumé (PDF)
  • Finnix
  • Debian
  • Launchpad
  • OpenPGP

Site Search

Categories

  • Chef Fo0bar Presents (15)
  • Finances (17)
  • Finnix (20)
  • Hampr (6)
  • Reviews (5)
  • Uncategorized (822)

Blog Search

Powered by WordPress.