alien9999999
Your Head Looks Nice
Premium
join:2002-05-21
B-3000
|  Installing IPv6 Server
server room ? | | 
server | |
Now that i have it back, i'll need to reinstall this of course, some things were wrong, others needed adjustment, plus it has a new disk!
both SATA disks were not recognized on the sata_via (maybe cause 1 is sataII), so i plugged them in the sata_promise chip.
BASE install
I installed from HD with the DVD iso of Mandriva 2007 on a data partition. used a x86_64 multi installer CD to boot.
Installed it painless, but used grub instead of lilo.
after install, booted into it, used »easyurpmi.zarb.org to rectify the install. I removed the DVD reference and updated using
urpmi --auto-select
i then removed all i586 packages, but i did include the i586 sources as well, in case something isn't x86_64 yet. (so far nothing i need isn't 64bit). also installed a new kernel.
rpm -q -a --queryformat="%NAME-%VERSION-%ARCH\n" | grep -v noarch | grep -v x86_64
At this point, i moved it to it's new location and rewired what was necessary.
booted up again and used the new kernel. (i still let it start X at boot; i plan to use remote XDMCP sessions from it later on).
first got ssh working and routing, so my lan could go to internet and reach the server(I did this with the drakconf tools).
Then I removed monitor/keyb and put the rest of the cables where they should be and i cleaned up (see pictures below)
First i migrated the mailserver, so it's operation could go on. used postfix with procmail, copied the mail to it's location ( ~/Maildir ) for all users, and set it up so it could receive mail (quick & dirty; cause i'll be configuring it fully later on).
Since other people use it, i decided to install squirrelmail and dovecot right away (also quick & dirty).
Finally: the real work!
I had already a tunnel from »www.sixxs.net , So i used aiccu again to install the tunnel. this isn't very hard to do, just remember that your IPv4 must be pingable, and some ports need to be accessible for tunnel info. Also, when you have the sixxs device, you must be sure that your IPv6 tunnel address is pingable. Remember that your time must be EXACT! use ntpdate to synchronize and use a daemon to keep it synchronized.
I configured the other servers first, but upon reflection it would have been better to request my subnet much earlier, it's standardly disabled anyway and takes a while to be approved.
I have found no good ip6tables or combined iptables/ip6tables frontend, even after extensive googling. This is a real caveat!
I installed radvd and set the configuration to use the prefix (only interface and prefix is required). You do have to make sure that your interface has an IPv6 address that's within that subnet. of course, there isn't much to do with this, so i'll use dhcp6 also later on. I added the AdvManagedFlag, which is supposadly a way to coexist with dhcp6. At this point i was very surprised that my client PC already had an routable IPv6 from that prefix... it happend very fast and was immediately working. i was able to reach the webserver on my server with it's new IPv6 address (from subnet) at once. (I received a /48, but i read that i should use /64 for subnetting)
[ ]# ifconfig eth0 add xxxx:xxxx:xxxx:xxxx::1/64
[ ]# for i in /proc/sys/net/ipv6/conf/*/forwarding ; do echo "1" > $i ; done
[ ]# route --inet6 add default gw xxxx:xxxx:xxxx:xxxx::1 dev sixxs
I did use the network-scripts to make it work on reboot.
extra in /etc/sysconfig/network-scripts/ifcfg-eth0:
IPV6INIT=yes
IPV6ADDR=xxxx:xxxx:xxxx:xxxx::1/64
extra in /etc/sysconfig/network:
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
IPV6_DEFAULTGW=xxxx:xxxx:xxxx:xxxx::1 #(don't know if this is required or not)
IPV6_DEFAULTDEV=sixxs
then i made myself the following init script:
/etc/init.d/fire6wall
#!/bin/sh
#
# Hive - firewall initialisation script
#
# (c) 2007 Maarten Vanraes <alien999999999@users.sourceforge.net>
#
# chkconfig: 235 89 11
# description: fire6wall
name="Fire6wall"
ipt="/sbin/ip6tables"
script="/data/system/scripts/firewall-ipv6"
#load modules
case "$1" in
start)
echo -n "Starting $name: "
# Starting real firewall
$script
echo "OK"
;;
stop)
echo -n "Stopping $name: "
# set default chain policies
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD DROP
# flush all chains
$ipt -F in_mine
$ipt -F IN
$ipt -F fw_smine
$ipt -F fw_dmine
$ipt -F FW
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t raw -F
$ipt -t mangle -F
$ipt -t filter -F
# drop all user-defined chains
$ipt -X
echo "OK"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|restart}"
exit 1
esac
and a real ip6tables script in /data/system/scripts/firewall-ipv6:
(note the unused_net part which is to make sure the /48 unused subnets don't accidentally go to upstream)
#!/bin/sh
#
# Hive - firewall ip6tables script
#
# (c) 2007 Maarten Vanraes <alien999999999@users.sourceforge.net>
#
ipt="/sbin/ip6tables"
net_dev="sixxs"
net_ip="xxxx:xxxx:xxxx:xxxx::2"
net_gw="xxxx:xxxx:xxxx:xxxx::1"
loc_dev="eth0"
loc_ip="xxxx:xxxx:xxxx:xxxx::1"
loc_net="xxxx:xxxx:xxxx:xxxx::/64"
unused_net="xxxx:xxxx:xxxx:xxxx::0/48"
#Flushing firewall
$ipt -F
$ipt -X
#Setting default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
# drop unused
$ipt -N IN
$ipt -N in_mine
$ipt -A in_mine -s ! $loc_net -j LOG --log-prefix "Fire6wall: Unused src in: "
$ipt -A in_mine -s ! $loc_net -j DROP
$ipt -A in_mine -j IN
$ipt -A INPUT -s $unused_net -j in_mine
$ipt -A INPUT -j IN
$ipt -N FW
$ipt -N fw_smine
$ipt -A fw_smine -s ! $loc_net -j LOG --log-prefix "Fire6wall: Unused src fw: "
$ipt -A fw_smine -s ! $loc_net -j DROP
$ipt -A fw_smine -j FW
$ipt -N fw_dmine
$ipt -A fw_smine -d ! $loc_net -j LOG --log-prefix "Fire6wall: Unused dst fw: "
$ipt -A fw_dmine -d ! $loc_net -j DROP
$ipt -A fw_dmine -j FW
$ipt -A FORWARD -s $unused_net -j fw_smine
$ipt -A FORWARD -d $unused_net -j fw_dmine
$ipt -A FORWARD -j FW
# reject irc auth port
$ipt -A IN -p tcp --dport auth -j LOG --log-prefix "Fire6wall: Auth reject in: "
$ipt -A FW -p tcp --dport auth -j LOG --log-prefix "Fire6wall: Auth reject fw: "
$ipt -A IN -p tcp --dport auth -j REJECT
$ipt -A FW -p tcp --dport auth -j REJECT
# allways accept
$ipt -A IN -p icmpv6 -j ACCEPT
$ipt -A FW -p icmpv6 -j ACCEPT
$ipt -A IN -p udp --dport ntp -j ACCEPT
$ipt -A FW -p udp --dport ntp -j ACCEPT
# allow TCP connections
$ipt -A IN -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FW -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A IN -p tcp ! --syn -o $loc_dev -d $loc_ip -j ACCEPT
$ipt -A IN -p tcp ! --syn -o $net_dev -d $net_ip -j ACCEPT
$ipt -A FW -p tcp ! --syn -i $net_dev -o $loc_dev -d $loc_net -j ACCEPT
$ipt -A FW -p tcp ! --syn -i $loc_dev -o $net_dev -s $loc_net -j ACCEPT
# firewall may do everything
$ipt -A IN -i lo -j ACCEPT
$ipt -A FW -i $loc_dev -s $loc_ip -j ACCEPT
$ipt -A FW -i $net_dev -s $net_ip -j ACCEPT
# firewall has some limited reachability
$ipt -A IN -p tcp -m multiport --dports ssh,smtp,domain,https,imaps -j ACCEPT
$ipt -A FW -o $net_dev -d $net_ip -p tcp -m multiport --dports ssh,smtp,domain,https,imaps -j ACCEPT
$ipt -A FW -o $loc_dev -d $loc_ip -p tcp -m multiport --dports ssh,smtp,domain,https,imaps -j ACCEPT
$ipt -A IN -p udp -m multiport --dports domain,ntp,1194 -j ACCEPT
$ipt -A FW -o $net_dev -d $net_ip -p udp -m multiport --dports domain,ntp,1194 -j ACCEPT
$ipt -A FW -o $loc_dev -d $loc_ip -p udp -m multiport --dports domain,ntp,1194 -j ACCEPT
# all gnomemeeting is allowed; TODO: VOIP
$ipt -A IN -p tcp --dport h323hostcall -j ACCEPT
$ipt -A FW -p tcp --dport h323hostcall -j ACCEPT
$ipt -A IN -p udp --sport 5000:5016 --dport 5000:5016 -j ACCEPT
$ipt -A FW -p udp --sport 5000:5016 --dport 5000:5016 -j ACCEPT
# local users may go to net
$ipt -A FW -i $loc_dev -o $net_dev -s $loc_net -j ACCEPT
# net may go to local users with limitations
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p tcp --dport 0:1023 -j LOG --log-prefix " Fire6wall: Low ports: "
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p tcp --dport 0:1023 -j DROP
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p tcp -j ACCEPT
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p udp --dport 0:1023 -j LOG --log-prefix " Fire6wall: Low ports: "
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p udp --dport 0:1023 -j DROP
$ipt -A FW -i $net_dev -o $loc_dev -d $loc_net -p udp -j ACCEPT
# log all
$ipt -A IN -j LOG --log-prefix "Fire6wall: Input: "
$ipt -A FW -j LOG --log-prefix "Fire6wall: Forward: "
$ipt -A IN -j DROP
$ipt -A FW -j DROP
NOTE that i don't have any real extensive ip6tables (or iptables) experience and that especially the TCP connection stuff could be very wrong. (i checked and saw that i had the ip6t_REJECT, xt_state and xt_multiport kernel modules. maybe xt_connmark or xt_CONNMARK could also be used... )
Now i set shorewall up so that it ignores IPv6 (set up zones but leave out sixxs) also change the following in /etc/shorewall/shorewall.conf:
DISABLE_IPV6=no
This concludes routing
Installing servers
General note: some must be configured to use [::] style bind addresses and some need :: ... there seems to be no consistency about this. (allthough both forms should be allowed unless (in my opinion) that there is a port notified afterwards.)
The following servers have absolutely NO IPv6 support:
* mysql (!!this is a real pain!!)
* SQUID (there is no support whatsoever; allthough there would be a patch since 2005)
* Net::Server (i modified the perl source code and it works now (add a 6 to a dependency and a \: to a checking function ))
* probably samba, i donno about this now, but it used to crash at startup just because i did have a sixxs device. will try this later on.
* NFS (no config option found to enable it)
The following servers have issues:
* amavisd-new (it uses Net::Server), in addition you need to specify bind_socket = "::"; in the config file
The rest works just fine ;) : (allthough you may need to configure it to use ipv6)
* postfix
* dovecot
* sshd
* X11 (used in ssh X11 forwarding)
* XDMCP (you need to enable XDMCP of course)
* bind
* openvpn is reported to be working on IPv6, but i use this on ipv4 only, since it mostly is not required
Mailserver setup:
Postfix listens on port 25 and takes on mail, then sends it to the contentfilter (port 10025) and the contentfilter sends it back to postfix but on port 10026, which does it's normal delivery. furthermore i set up procmail and have scripts/user that filter into maildirs. dovecot uses those maildirs for it's imap server. as an addition squirrelmail is installed. I installed amavisd-new as content filter, but you should look into »www.maiamailguard.com , it is a patched version of amavisd with a webfrontend. As a last line in procmail i have all my good mail forwarded to a gmail account. I also have set up fetchmail to fetch all my mail from all over and all email addresses.
TODO:
* icecast
* SSL certs (set up my own CA) and sign my certs with it. (not related to IPv6 of course)
* need to input a coax cable to the server as well, and also put my extra speakers on the server, and let it play from icecast.
* lirc on the TVCard on the server (for system features, maybe controlling the icecast and/or mythtv)
* mythboth on the server
* user-modifiable filtering webfrontend for procmail for the imap folders.
* set up dhcp6 correctly to give ntpd, and mailservers to clients
* set up openldap for auth, but also as emailaddress directory.
* let system and servers use openldap for auth.
* set up a spamtrap address
* set up a spamreport address
* find a way to temporarily block ipaddressess based upon a number of portscans/login tries and log into a DB.
PS: it seems the .gif is not animating well :(
--
Alien is my name and headbiting is my game. |
