Firewall+IPv6 Tunnel mini-HOWTO Hernán Freschi version 0.1, 2002-11-27 How to add IPv6 over IPv4 support to your network behind a NAT router. ---------------------------------------------------------------------- Table of Contents 1. Introduction 1.1 Copyright 1.2 Disclaimer 1.3 Credits 1.4 Changelog 2. What's IPv6? What can it do for me? 3. How do I connect to the 6bone? 4. What should I allow through the firewall? 5. Configuring the IPv6 machines/routers 5.1. Linux 5.2. Windows 5.2.1 IPv6 stand-alone machine 5.2.2 IPv6 network 5.2.2.1 The Router 5.2.2.2 The clients 6. Examples 6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE. 6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact. ---------------------------------------------------------------------- 1. Introduction 1.1 Copyright This document is Copyright 2002 by Hernán Freschi. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at www.gnu.org. 1.2 Disclaimer Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk. All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. You are strongly recommended to take a backup of your system before major installation and backups at regular intervals. 1.3 Credits Hernán Freschi Microsoft, Windows, 2000, XP, SP1, .NET Server 2003 are all trademarks of Microsoft Corp. Any comments or suggestions can be mailed to my mail address on: hjf(at)hjf.com.ar This document is still in beta phase, so errors and omissions may be present. 1.4 Changelog 0.1 Initial Release. Getting Started 2. What's IPv6? What can it do for me? Sorry, that is beyond the scope of this document. This aims to make a iptables firewall to allow incoming traffic from an IPv6 tunnel. 3. How do I connect to the 6bone? Through a tunnel broker!. Get your account (for free) at: www.tunnelbroker.net (USA) tb.ipv6.btexact.com (UK) tb.ngnet.it (Italy?) You could also use www.freenet6.net, but they use proprietary software, which doesn't run inside a network. But it's easier to implement and even assigns /48 subnets. 4. What should I allow through the firewall? Everything that comes from the tunnel address, except ICMP (what for? let the linux box answer, so the packets dont get in the network). The rules I use are this: iptables -A FORWARD -s -p ! ICMP -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -j DNAT --to And that's it. The outgoing packets don't need special treatment. Note: This, of course, assumes that your Linux firewall doesn't handle the IPv6 packets. It's designed to run on tiny distros like FloppyFW (www.zelow.no/floppyfw) or LRP (www.lrp.org). With this, the firewall doesn't need support for IPv6. These packets are handled in an internal, more powerful (ie: with a hard disk) computer. 5. Configuring the IPv6 machines/routers 5.1 Linux I don't have a linux box to experiment, you can either a) Donate a hard disk, so I can install linux again or b) Write this section for me :) 5.2 Windows (2000/XP/XP-SP1/.NET Server 2003 ONLY! Win9x is UNSUPPORTED). First of all, you have to install IPv6 support: C:\> ipv6 install Installing... Success. 5.2.1 IPv6 stand-alone machine: Use your brokers script! If they didn't provide one, use these: ipv6.exe rtu ::/0 2/:: ipv6.exe adu 2/ The 2/ is the Interface Index. It's usually 2, but it may vary. If in doubt, type ipv6 if and look for a line like this: Interface 2: Automatic tunnel pseudo-interface The number, obviously, is the one you are looking for. 5.2.2 IPv6 network (Note: this applies only to the external network. If you need help setting up the IPv6 lan, read www.microsoft.com/ipv6) 5.2.2.1 The Router Use your brokers script! If they didn't provide one, use these: ipv6.exe rtu ::/0 2/:: ipv6.exe adu 2/ ipv6.exe rtu / 4 pub life 86400 ipv6.exe ifc 2 forw ipv6.exe ifc 3 forw ipv6.exe ifc 4 forw adv 2, 3, 4 are the interface indices. They may vary. To find out, type ipv6 if 5.2.2.2 The clients You don't need to do nothing, they are auto configured. 6. Examples: 6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE. Equipment required: 1 Box capable of running iptables (kernel = 2.4.x) 1 Box running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003. Tunnel: 1 /127 Allocation from Hurricane Electric +---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\ |WIN|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\ 6bone / +---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\ 10.42.42.100<->10.42.42.1 <-> 209.13.122.2 <-> ipv6.he.net <-> 2001:470:1F00:FFFF::xxxx Configuration: On the Linux box type: iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100 On the MS box type: ipv6 rtu ::/0 2/::64.71.128.82 pub ipv6 adu 2/2001:470:1F00:FFFF::xxxx Congratulations. You are set. Now try pinging to 6bone.net, for example. 6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact. Equipment required: 1 Box capable of running iptables (kernel = 2.4.x) n Boxes running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003. Tunnel: 1 /64 Allocation from Hurricane Electric +---+ +---+ +---+ |WIN| |WIN| |WIN| +---+ +---+ +---+ +-----+-----+ +---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\ --|WRT|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\ 6bone / +---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\ 10.42.42.100<->10.42.42.1 <-> 209.13.122.2 <-> 193.113.58.80 <-> 2001:618:400::xxxx:xxxx Configuration: On the Linux box type: iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100 On the MS router type: ipv6.exe rtu ::/0 2/::193.113.58.80 ipv6.exe adu 2/2001:618:400::xxxx:xxxx ipv6.exe rtu 2001:618:400:xxxx::/64 4 pub life 86400 ipv6.exe ifc 2 forw ipv6.exe ifc 3 forw ipv6.exe ifc 4 forw adv On the other machines type: Nothing, they are auto configured. If they dont work, try: ipv6 reset If that doesn't work, check for a default route (::/0). ipv6 rt If there isn't one, try adding one: ipv6 rtu ::/0 n/(your routers ipv6 address) (where n is the interface index of the ethernet board connected to the network, usually 4). If it works, but the next time you reboot, it does not auto configure, then maybe you are not publishing the default route in the router. Congratulations. You are set. Now try pinging to 6bone.net, for example.