# A few IPv6 & ip6?tables questions[answered]

## truc

Hello, I'm starting to play a little with IPv6 and I was wondering:

1) How do you guys manage your iptables and ip6tables scripts (I already know about iptables-save&iptables-restore and their IPv6 friends, I'm just asking for tips on how to manage the creation of these two ruleset given the fact they are very similar).

2) [partially answered] squid3.1.X listens on an IPv6 socket and is able to receive IPv4 connection through v4mapping(or something like that) in the kernel, does this mean I no longer need to open the squid port with iptables -- and only open it with ip6tables(ok I will try that by myself in a moment). Is this something more and more software will do do handle IPv4&IPv6 at the same time?

3) [answered: YES] I'm currently DROP'ing some traffic in the raw table for a few mac addresses, Do I need to replicate these rules with ip6tables? or something else?

4) [answered: router advertissement, icmpv6, ndp, radvd...] I've set up an IPv6 tunnel broker (6in4), and I've been given a /64 subnet, this is great but how do I start using those addresses behind the router? how the local hosts are supposed to be automatically configured in the right subnet? 

5) I have a proxy(squid3) running on my LAN, should the clients contact it on its link-local adress? In the browser, I set the proxy to http://proxy.my.lan:3128, I can add an AAAA RR for this name, but from what I understand, a link-local address must be associated with an interface, so how would the client know where to reach that link-local address (on which interface)?

Thanks in advance!

EDIT: added a fifth question

----------

## truc

2) Í can answer the second question on my own: I still have to open the squid port with iptables in order to connect to it via IPv4

So I might add a fourth question:

4) I've set up an IPv6 tunnel broker (6in4), and I've been given a /64 subnet, this is great but how do I start using those addresses behind the router? how the local hosts are supposed to be automatically configured in the right subnet? 

Well as you can see, this is not very clear to me.

thanks for your help:)

----------

## s_bernstein

 *Quote:*   

> 
> 
>     * 3) I'm currently DROP'ing some traffic in the raw table for a few mac addresses, Do I need to replicate these rules with ip6tables? or something else?
> 
> 

 

Yes you have and you should. But the ruleset for ipv6 probably have to be much more ridgit if you want to have the same level of security, because all ipv6 addresses are by default reachable from the world.

 *Quote:*   

> 
> 
>     * 4) I've set up an IPv6 tunnel broker (6in4), and I've been given a /64 subnet, this is great but how do I start using those addresses behind the router? how the local hosts are supposed to be automatically configured in the right subnet?
> 
> 

 

Well, unless you activate your privacy extention the ip6 address is calculated by using the mac address, so your ip address would always be the same, where ever your are. See the problem? Google (and others) could track you around the world. The "subnet" is now called a prefix and you either have to set it manually or, if your router is ip6 ready should annouce the prefix by it self through the Neighbour Discovery Protocol, which is by the way uses icmp packages, so droping icmp to disallow ping will kill you network setup.

----------

## truc

 *s_bernstein wrote:*   

>  *Quote:*   
> 
>     * 3) I'm currently DROP'ing some traffic in the raw table for a few mac addresses, Do I need to replicate these rules with ip6tables? or something else?
> 
>  
> ...

 

Okay, I think I just realised something important: iptables and ip6tables only look at IPv4 and IPv6 traffic. And if I'm not using ebtables, then I have no way to block, say, IPX traffic. Now I understand why I should replicate those rules.

 *s_bernstein wrote:*   

>  *Quote:*   
> 
>     * 4) I've set up an IPv6 tunnel broker (6in4), and I've been given a /64 subnet, this is great but how do I start using those addresses behind the router? how the local hosts are supposed to be automatically configured in the right subnet?
> 
>  
> ...

 

Yep, I read about that already, but before trying to do something more tricky with DHCPv6(EDIT:Ok, just checked, no need of a DHCPv6 service, it's just a sysctl setting -use_tempaddr-), I'd like to understand how this is supposed to work.

 *Quote:*   

> The "subnet" is now called a prefix and you either have to set it manually or, if your router is ip6 ready should annouce the prefix by it self through the Neighbour Discovery Protocol, which is by the way uses icmp packages, so droping icmp to disallow ping will kill you network setup.

 

hum... okay, so next thing to do is to configure my server/router to be "ip6 ready", I guess it's just some sysctl keys to change as well as the firewall to configure! I will see.

Anyway, this brings up a new question, 

I have two public links on the server, and route some IPv4 traffic through one link, this is working good, since I SNAT packets leaving those public interfaces.

Regularly, one link or the other gpes down, so I need to change the default route on the server, and since packets are SNAT'ed, I always got the reply from where the request were coming.

Now with IPv6, if I chose to configure the LAN with one prefix, and the link associated with that prefix goes down, then changing the default gateway on the server won't be enough as local hosts will still use the other prefix, and so they'll never get the replies.

Do you see any way around this?

Thanks!

----------

## s_bernstein

hmmm.. tricky

The only way I see at the moment is to use one of the private network prefixes for your network and build some static routes. But I'm not sure if that is a good solution.

----------

## truc

from what I read I can probably work around this by playing with the router advertissement and the valid_lft&prefered_lft. I still don't know how, but It may be possible to force 'local' hosts to use one prefix or the other by playing with these values.

----------

## truc

I'm still trying to understand how to use IPv6, so let me add yet an other quick question:

5) I have a proxy(squid3) running on my LAN, should the clients contact it on its link-local adress? In the browser, I set the proxy to http://proxy.my.lan:3128, I can add an AAAA RR for this name, but from what I understand, a link-local address must be associated with an interface, so how would the client know where to reach that link-local address (on which interface)?

Thank you again!

----------

## s_bernstein

If I understand you correct, you want to know how your IPv6 client is reaching the IPv6 server (squid)? Am I wrong?

If not: IPv6 is not that different von IPv4. Your nic gets an ip(v6) address and is using it to communicate via IPv6. If your server is in the same physical network and your squid is configured to listen on the ipv6 address, you should reach your server without any more config steps (if your are using the same prefix).

----------

## truc

 *s_bernstein wrote:*   

> If I understand you correct, you want to know how your IPv6 client is reaching the IPv6 server (squid)? Am I wrong?
> 
> If not: IPv6 is not that different von IPv4. Your nic gets an ip(v6) address and is using it to communicate via IPv6. If your server is in the same physical network and your squid is configured to listen on the ipv6 address, you should reach your server without any more config steps (if your are using the same prefix).

 

Sorry for not being very clear.

I usually configure the proxy (via a pac file) to something like this: http://proxy.my.lan:3128

But, when I try to manually use this setting host: fe80::222:64ff:febf:dcaf port: 3128 (the link-local address of the proxy), then it doesn't work, now, if I set the proxy host to fe80::222:64ff:febf:dcaf%eth0, then it's working fine.

Since I'd like to use a hostname instead of an address (proxy.my.lan), the name proxy.my.lan should resolv in an IPv6 address, but If I do that, the dns reply will still be missing the %eth0, and so the proxy configuration won't work!

So my quick conclusion was that I should not use any link-local address, theses are only used for stateless auto-configuration. Am I right?

If I get it right, the proxy.my.lan should (also) resolv in the proxy IPv6 address (with a prefix other than fe80::/64.

I think I really need to understand how to configure this stateless autoconfiguration on the server before doing anything else.

One last question, I read that if I have a /64 network, it's 64bits for the host, and I can't have several subnet, Is this still true? How am I suppose to filter traffic between my current (IPv4) subnets if with IPv6, every host is is the same subnet?

Thanks for your time s_bernstein :Smile: 

----------

## s_bernstein

 *Quote:*   

> So my quick conclusion was that I should not use any link-local address, theses are only used for stateless auto-configuration. Am I right?

 

Well, I think the answer to that is yes. The same link-local prefixes may be used by more than one nic on system, so you have to add the interface to specify the exact subnet. And because traffic from these addresses will not be routed you will not be able to access any address outside the network. Although it might be possible to access the proxy and get a connection from there, this seems to be an awful hack.

 *Quote:*   

> One last question, I read that if I have a /64 network, it's 64bits for the host, and I can't have several subnet, Is this still true? How am I suppose to filter traffic between my current (IPv4) subnets if with IPv6, every host is is the same subnet? 

 

You will probably get a /48 or /56 network so you can split your network with netmasks into /64 networks. If not, you're screwed and need to build something with the unique local unicast prefixes (the ipv6 version of 192.168.0.0/16).

----------

## truc

OK, things are going great, everything is working fine, here are some of the information I was missing at the beginning:

As s_bernstein, I needed to ask for a /48 (or something else) to be able to have multiple IPv6 subnet. By chance, Hurricane Electric propose to route (for free) a /48  :Smile: 

Next thing to do is to split this /48 for your subnets. Just so I can easily see which network is an ipv6 address from, I decided to make IPv4 and IPv6 subnets similar:

eg: 

with the 2001:32:b1a9::/48 prefix, I can choose to use these subnets

```
eth1: 192.168.10.1/24 -> 2001:32:b1a9:10::1/64

eth2: 192.168.20.1/24 -> 2001:32:b1a9:20::1/64

eth3: 192.168.30.1/24 -> 2001:32:b1a9:30::1/64

eth4: 192.168.40.1/24 -> 2001:32:b1a9:40::1/64

eth5: 192.168.50.1/24 -> 2001:32:b1a9:50::1/64
```

Once it's configured, you can configure radvd for a wonderfull stateless autoconfiguration, eg, for eth1:

```
interface eth1 {

   AdvSendAdvert on; 

   prefix 2001:32:b1a9:10::1/64 {

   };  

   RDNSS 2001:32:b1a9:10::1/64 {

   };  

   DNSSL my1.lan lan {

   };  

};
```

Then enable forwarding for IPv6, and start the daemon: stateless autoconfiguration should already be working!

Configure your firewall (ip6tables)

note: if you're a total ipv6 junky, you can use rdnssd on the clients to listen for dns configuration(only RDNSS, DNSSL is ignored from what I can see), this way you can start querying your NS via IPv6 instead of IPv4

As I said before, I use proxy.pac file to configure the proxy setting on the clients, with a directive usually like this one

```
PROXY http://proxy.my.lan:3128
```

So if proxy.my.lan has an AAAA ressource record, then, the clients can speak to the proxy via IPv6

----------

## truc

...and...

The nice thing about stateless autoconfiguration is that you can reconfigure easily every hosts without waiting for their lease to expire.

This is good given my initial problem(I have two wan links, each of them going regularly down I often need to route all traffic through one link or the other, the question was, how to do this without NAT and IPv6?):

I set up a second ipv6 tunnel (6in4), which will use the second link (you just have to select a different peer than for the first tunnel, then play with ip route add)

I also asked for a second /48 through that second tunnel: 2001:32:106a::/48, which I split the same way as the first one (192.168.10.1/24 -> 2001:32:106a:10::1/48 )

It's possible to send two prefix with a radvd configuration like this for eth1:

```
interface eth1 {

   AdvSendAdvert on;

   prefix 2001:32:b1a9:10::1/64 {

      AdvPreferredLifetime 0;

   }; 

   prefix 2001:32:106a:10::1/64 {

      #AdvPreferredLifetime 0;

   }; 

   RDNSS 2001:32:b1a9:10::1/64 {

   }; 

   DNSSL my1.lan lan {

   }; 

};
```

Then play with ip rule add, and ip route add to make the ipv6 traffic comming from one of these /48 going through the first tunnel, and the same for the second /48 (through the second tunnel).

Once you need to change the default link, just comment the line 'AdvPreferredLifetime 0;' where it's not commented in the radvd.conf and vice-versa, restart radvd, and your local hosts will start using the other prefix (and so the other link).

Everything is working fine now, but, I find the situation with DNS weird, I mean, DNSSL is not yet supported, not yet? But it's not like Ipv6 is something new, is it?

----------

