You're reading from Linux Networking Cookbook
The IPv4 protocol used on the Internet today was first deployed on ARPANET in 1983. It uses 32 bit addresses, which limits the number of IP addresses to 4,294,967,296. While this may seem like a lot, that number is being rapidly depleted, even with the boost that NAT provided us.
The replacement, IPv6, improves on IPv4 by switching to 128 bit addressing, which should provide enough IP address space for the foreseeable future. It also makes a number of other improvements including auto-configuration of addresses, simplified processing for routers due to more standardized sizes for packet headers, and additional areas as well.
Even with those improvements, and the impending IPv4 exhaustion, IPv6 has had an extremely slow rollout. The initial design was completed in 1998 but as of the end of 2009 the percentage of users who visited Google with IPv6 connectivity was below 0.25%. Since 2009, adoption has accelerated, with the user saturation increasing from less than 3% to more than...
Hurricane Electric is a major backbone and colocation provider based in the US. In addition to their hosting/transit services, they also host http://tunnelbroker.net, another free IPv6 tunnel provider, and http://ipv6.he.net/certification, a training and certificate site for learning about IPv6 networking.
Unlike AYIYA tunnels from SixXS, IPv6 tunnels from Hurricane Electric operate over IP protocol 41, which is defined by the IPv6 Encapsulation protocol (RFC2473). This is a separate protocol from ICMP, TCP and UDP.
The downside of this approach is that it does not operate over NAT firewalls natively. This may be an issue if your new firewall device is operating behind an ISP firewall with its own NAT. The ability to forward protocol 41 traffic to a machine behind the NAT is device specific and does not work on all firewalls.
Visit https://tunnelbroker.net and click Sign up now!, and sign up for a Free account.
Under User Functions...
Firewalling IPv6 traffic on Linux is handled by the ip6tables command. This tool is the IPv6 version of the iptables
command we've already used, and it operates in almost exactly the same manner. The big difference is that with IPv6 the use of NAT is highly discouraged.
Let's run the command to establish.
# ip6tables -6 -A INPUT -i lo -j ACCEPT # ip6tables -6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ip6tables -6 -A INPUT -p tcp --dport 22 -j ACCEPT # ip6tables -6 -P INPUT DROP # ip6tables -6 -P FORWARD DROP # ip6tables -6 -P OUTPUT ACCEPT # ip6tables -6 -A FORWARD -i eth0 -j ACCEPT # ip6tables -6 -A FORWARD -i eth1 -o eth0 -m \ state --state RELATED,ESTABLISHED -j ACCEPT # ip6tables -6 -A FORWARD -i eth0 -j ACCEPT
The ip6table rules here are identical to the iptables
rules in Chapter 1, Configuring a Router with a few exceptions:
A lack of NAT
-6 options
So far, all we've done is allocate a single IPv6 address to your machine that is hosting the tunnel. One of the nice things about IPv6 however, is the ability to obtain a large number of public IP addresses for your local networks rather than using NAT. In fact, Hurricane Electric and SixXS both offer complementary /48 networks to use with your tunnel. A /48 includes 2^80 IP addresses, or 1,208,925,819,614,629,174,706,176. Much better than the one IPv4 address you typically get from a consumer IP address. To utilize them, you just need to advertise their availability.
Install radvd
via your package management system:
Configure
/etc/radvd.conf
:interface eth1 { AdvSendAdvert on; prefix 2001:DB8:1:1::/64 { }; };
Start
radvd
via theinit
script or as appropriate for your distribution.