[Redbrick-ipv6] Re: [Admin-discuss] RedBrick IPv6 Network

Colm MacCarthaigh colmmacc at redbrick.dcu.ie
Sat Dec 20 02:52:09 GMT 2003


A few more small updates. Mark noticed that for some mad reasin BitchX
wasnt falling back to IPv4 when connected to irc.redbrick.dcu.ie, though
all the other chat clients seem fine. The "chat" alias has been modified
to use IPv4 only.

Thanks to Dizer applying some generating-solaris-packages fu, we now
have an IPv6 enabled exim 4.30 on Prodigy, and can now recieve and send
mails over IPv6. Receiving is simple enough, we just added a quad-A
record for mailhost.redbrick.dcu.ie, sending is a bit more complicated.

A new router has been added to our exim config;

  # If it's not a local domain, and it's IPv6, send it ourselves
  dnslookup:
    driver = dnslookup
    domains = ! +local_domains
    transport = remote_ipv6_smtp
    ignore_target_hosts = 0.0.0.0/0 : :::1 : ::::

And the accompaning transport;

  # Just in case there's nothing listening on the IPv6 address, use
  # an IPv4 fallback smarthost 
  remote_ipv6_smtp:
    driver = smtp
    fallback_hosts = mail.dcu.ie

Which means that if a domain you're trying to send mail to has an
IPv6 mail-server, RedBrick will send the mail directly, otherwise
(or if the IPv6 address is uncontactable) mail will go through
mail.dcu.ie.  

I've also updated the exim configs on carbon and deathray to
relay mail to Prodigy over IPv6.

traceroute6 wasnt working at all outbound, this turned out to be
a compound problem, first of all the firewall rules needed to be
changed slightly (thanks go to Dave Malone for finding out 
which subset of ports to open), and the ttl on the sixxs tunnel
needed to be higher. The interface now looks like;

  auto sixxs
  iface sixxs inet6 v4tunnel
    address 2001:770:100:9::2
    netmask 64
    endpoint 193.1.31.74
    ttl 64
    up ip tunnel change sixxs ttl 64 # needed for traceroute to work
    up ip link set mtu 1280 dev sixxs
    up ip route add 2000::/3 via 2001:770:100:9::1 dev sixxs

It seems the current version of iputils ignores the "ttl 64" setting
and we need to set it manually using the ip command. 

In addition to the changes for traceroute6, the firewall ruleset
had to rewritten a bit to use the FORWARD chain a lot more, and
now looks like;

  # This is the subnet used for the tunnel itself,
  # and is used only for routing.
  LINK="2001:770:100:9::2/64"
  
  # This is RedBrick's IPv6 Allocation
  ALLOCATION="2001:770:107::/48"
  
  # Flush the existing rules
  ip6tables -F INPUT
  ip6tables -F OUTPUT
  ip6tables -F FORWARD
  
  # allow IPv6 ICMP 
  ip6tables -A INPUT  -i sixxs -p icmpv6 -d $LINK       -j ACCEPT 
  ip6tables -A OUTPUT -o sixxs -p icmpv6 -s $LINK       -j ACCEPT 
  ip6tables -A FORWARD -i sixxs -p icmpv6 -d $ALLOCATION -j ACCEPT 
  ip6tables -A FORWARD -o sixxs -p icmpv6 -s $ALLOCATION -j ACCEPT 
  
  # Allow enough UDP such that traceroute6 works
  ip6tables -A INPUT   -i sixxs -p udp -d $LINK --dport 33434:33690 --sport 1024:65525  -j ACCEPT
  ip6tables -A OUTPUT  -o sixxs -p udp -s $LINK --dport 33434:33690 --sport 1024:65525 --j ACCEPT
  ip6tables -A FORWARD -i sixxs -p udp -d $ALLOCATION --dport 33434:33690 --sport 1024:65525 -j ACCEPT
  ip6tables -A FORWARD -o sixxs -p udp -s $ALLOCATION --dport 33434:33690 --sport 1024:65525 -j ACCEPT
  
  # ip6tables does not yet have connection tracking, so we permit
  # packets which claim to be established (same as Cisco established)
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION ! --syn -j ACCEPT
  ip6tables -A FORWARD -o sixxs -p tcp -s $ALLOCATION ! --syn -j ACCEPT
  
  # Allow ssh, web, mail, imap, https and irc inbound
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 22   -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 25   -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 80   -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 113  -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 120  -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 143  -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 443  -j ACCEPT
  ip6tables -A FORWARD -i sixxs -p tcp -d $ALLOCATION --dport 6667 -j ACCEPT
  
  # Allow outbound to port 25 from our mailserver, in order to send IPv6
  # mail
  ip6tables -A FORWARD -i sixxs -p tcp -s 2001:770:107:15:A00:20FF:FEAB:E119 --dport 25 -j ACCEPT
  ip6tables -A FORWARD -o sixxs -p tcp -s 2001:770:107:15:A00:20FF:FEAB:E119 --dport 25 -j ACCEPT
  
  # Drop everything else, including all unestablished outbound 
  # connectivity
  ip6tables -A INPUT -i sixxs -j LOG --log-prefix "INPUT:"
  ip6tables -A INPUT -i sixxs -j DROP
  ip6tables -A FORWARD -i sixxs -j LOG --log-prefix "FORWARD:"
  ip6tables -A FORWARD -i sixxs -j DROP
  ip6tables -A FORWARD -o sixxs -j LOG --log-prefix "FORWARD:"
  ip6tables -A FORWARD -o sixxs -j DROP
  ip6tables -A OUTPUT -o sixxs -j LOG --log-prefix "OUTPUT:"
  ip6tables -A OUTPUT -o sixxs -j DROP

As per hat ruleset, I've also opened ident, as some mailservers we're
suffering long timeouts as they tried to connect to ident (ip6tables
does not yet have a REJECT target, only DROP), and I've opened 120
- as news.heanet.ie (for intersocs news) was trying to contact our
newsserver in IPv6 - might aswell let it.
  
Earlier today, DoC made a start on recompiling the kernel and stuff
on welmar to support IPv6, though I'm not sure where that's at -
but welmar may be another IPv6 host on the network not before too
long :) it does seem to have a link-local address anyway;

colmmacc at carbon (~) $ ping6 -I eth0 fe80::201:3ff:feba:465e
PING fe80::201:3ff:feba:465e(fe80::201:3ff:feba:465e) from
fe80::206:5bff:fefc:fb70 eth0: 56 data bytes
64 bytes from fe80::201:3ff:feba:465e: icmp_seq=1 ttl=64 time=0.540 ms
64 bytes from fe80::201:3ff:feba:465e: icmp_seq=2 ttl=64 time=0.213 ms

-- 
colmmacc at redbrick.dcu.ie        PubKey: colmmacc+pgp at redbrick.dcu.ie  
Web:                                 http://devnull.redbrick.dcu.ie/ 




More information about the Redbrick-ipv6 mailing list