First thing you’ll need to do is register at the Hurricane Electric website and create your tunnel. I’m not going to go over that since there’s a lot of help on the Hurricane Electric Website about it. These instructions only apply to you after you’ve registered as a user and set up your tunnel on there website.
These instruction’s apply to Debian and Ubuntu derivatives, I’m sure they will work for other distributions with a little tweaking. Thanks to angelou on the Hurricane Electric web forum for doing most of the hard work. These instructions are mostly his work, with ufw firewall instructions are provided by me.
Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses below are used for documentation purposes only, see RFC 3849 (no point showing everyone on the internet my home IPv6 address, that would just be silly 
)
| HE Server IPv4 Endpoint | 216.66.22.2 |
| Static IPv6 assignment from my routable range | 2001:DB8:8:7aa::1 |
| Client IPv6 Endpoint | 2001:DB8:7:7aa::2 |
You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.
sudo nano /etc/network/interfaces
- Adding static IPv6 address from my routable range.
- Adding a static route to the Client IPv6 endpoint also called the he-ipv6 tunnel interface.
- Please note that the IP’s are on different networks.
# Adding an IPv6 address to the eth0 interface. # Interface up up ip -6 addr add 2001:DB8:8:7aa::1/64 dev eth0 # Interface down down ip -6 addr del 2001:DB8:8:7aa::1/64 dev eth0
The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done
# IPv6 via Hurricane Electric Tunnel auto he-ipv6 iface he-ipv6 inet6 v4tunnel endpoint 216.66.22.2 address 2001:DB8:7:7aa::2 netmask 64 ttl 255 up ip -6 route add default dev he-ipv6 down ip -6 route del default dev he-ipv6
Now were going to install and configure radvd. First, install radvd.
sudo apt-get install radvd
Then configure radvd for your routed range.
sudo nano /etc/radvd.conf
The only part you have to change below, is the “prefix” which will be yours IPv6 prefix.
interface eth0
{
AdvSendAdvert on;
AdvLinkMTU 1480;
prefix 2001:DB8:8:7aa::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
Now your going to edit the sysctl.conf file so that when you reboot IPv6 will still be forwarded to other IPv6 enabled devices.
sudo nano /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv6 # net.ipv6.conf.all.forwarding=1
Now were going to enable IPv6 forwarding on the fly.
sudo sysctl -p
All going well, you could bring up the interface followed by radvd and everything should work. However, I wouldn’t recommend it. Ever devices on your network that gets an IPv6 address would be visable to all IPv6 enabled devices on the internet (samba shares springs to mind).
Setting up a a ufw firewall under ubuntu for IPv6
Enable IPv6 support under ufw
sudo nano /etc/default/ufw
Change the following part to yes
# Set to yes to apply rules to support IPv6 # (no means only IPv6 on loopback # accepted). # You will need to ‘disable’ and then ‘enable’ # the firewall for the changes to take affect. IPV6=yes
Enable the default forward policy to Accept
# Set the default forward policy to ACCEPT, DROP or REJECT. # Please note that if you change this you will most likely # want to adjust your rules DEFAULT_FORWARD_POLICY="ACCEPT"
Now we need to enable UFW, at the terminal type :
sudo ufw enable
Like most people, I’m behind a firewall/router so I have a Private Class B Network Address same as most PC users these days. I would like to add access to all my network devices on my own network.
To do this I do the following at the terminal:
sudo ufw allow from 192.168.0.0/16
I want to allow IPv6 services from my HE Server IPv4 Endpoint, inbound and outbound. IPv6 over IPv4 tunnels (HE Electric) and 6to4 are supported by using the ‘ipv6′ pro‐
tocol (’41′).
sudo ufw allow from 216.66.22.2 proto ipv6
I would like to allow bootp services on port 67 from the radvd service.
sudo ufw allow proto any to any port 67
I want to allow access to services running on this Linux Gateway under my own ipv6 assigned routable range eg. ssh, samba within my own network only.
sudo ufw allow from 2001:DB8:8:7aa::/64
Ok, if you’ve followed the instructions correctly, you should now be able to bring up the IPv6 interface and ping an IPv6 address with no problem.
Bringing up the he-ipv6 interface.
sudo ifup he-ipv6
Now, if you type the following
ifconfig he-ipv6
You should see something similar to this:
he-ipv6 Link encap:IPv6-in-IPv4 inet6 addr: fe80::c0a8:10f/64 Scope:Link inet6 addr: 2001:DB8:7:7aa::2/64 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:121 errors:0 dropped:0 overruns:0 frame:0 TX packets:129 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:31141 (31.1 KB) TX bytes:17224 (17.2 KB)
Now to test the tunnel.
ping6 -c 5 ipv6.google.com
You should get the following ping replies if your tunnel is working correctly.
PING ipv6.google.com(2a00:1450:8006::63) 56 data bytes 64 bytes from 2a00:1450:8006::63: icmp_seq=1 ttl=56 time=235 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=2 ttl=56 time=200 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=3 ttl=56 time=199 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=4 ttl=56 time=199 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=5 ttl=56 time=198 ms --- ipv6.google.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 198.680/206.723/235.849/14.576 ms
That’s it, all done! 
Hint: Any other Linux workstation, Vista and Windows 7 workstation that you have on your home network will automatically get an IPv6 address and will be accessible externally (outside your home network). So I would suggest that you firewall them and use the host scan tool provided by HE Electric to test them.
Optional
Alternatively, you can turn the Gateway into an IPv6 Firewall, and only allow IPv6 traffic that originates from your network, blocking all incoming traffic that doesn’t originate from within your network.
If you decide that you want to restrict all incoming IPv6 traffic from the Internet to your own local network, then you need to edit the file before6.rules, use the command to edit the file.
sudo nano /etc/ufw/before6.rules
Add the following before the commit command. Thanks to Ezra for pointing out the need for this.
Updated firewall rules below on 16/02/12.
# Allow full outgoing connection but no incoming connection. -A ufw6-before-forward -i he-ipv6 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow "No Next Header" to be forwarded or proto=59 # See http://www.ietf.org/rfc/rfc1883.txt (not sure if the length # is needed as all IPv6 headers should be that size anyway). -A ufw6-before-forward -p ipv6-nonxt -m length --length 40 -j ACCEPT # allow MULTICAST # These 2 need to be open to enable Auto-Discovery. -A ufw6-before-forward -p icmpv6 -s ff00::/8 -j ACCEPT -A ufw6-before-forward -p icmpv6 -d ff00::/8 -j ACCEPT # ok icmp codes -A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT # Optional - Allow bittorent clients on port 51413 -A ufw6-before-forward -i he-ipv6 -p tcp --dport 51413 -j ACCEPT -A ufw6-before-forward -i he-ipv6 -p udp --dport 51413 -j ACCEPT # Blocking incoming TCP connection requests to hosts behind this router. -A ufw6-before-forward -i he-ipv6 -j ufw6-logging-deny -A ufw6-before-forward -i he-ipv6 -j DROP # don't delete the 'COMMIT' line or these rules won't be processed COMMIT
Done
References:
Hurricane Electric – Tunnel Broker
IPv6 Universal TCP Port Scanner
Test your IPv6
Easy Config for Linux Router
Building a IPv6 Gateway
anyweb sample configurations
IPv6 – Ubuntu Wiki
Ubuntu UFW Firewall
Private Class B Network Address
Neighbor Discovery for IP Version 6
Radvd config manpage
Enabling IPv6 Privacy Extensions on Ubuntu Linux
IPv6 at home – A guide to getting started
IP6: Getting a functional DHCPv6 and Route Advertising together
Linux Home Automation – Home IPv6 Networking
Various DHCP Servers and Client configuration examples
Linux IPv6 HOWTO (en)
RDNSSD Not adding DNS servers to resolve.conf
This is the best guide I’ve found on doing this – thanks! Was running into lots of issues doing this on Hardy Heron but finally upgraded to latest LTS (10.04) and everything is working now
Is it possible to do this with ufw on the gateway, or does it have to be done by each device? If it is possible on the gateway, could you explain how, as I’ve been trying to figure it out and google isn’t giving me any useful answers.
Yes it is possible to do this using ip6table on the gateway, I’ve not covered it as that wasn’t really the point of the exercise.
To list the ip6tables, type “sudo ip6tables –list” at the prompt.
You might also want to read “Linux IPv6 Howto” at
http://tldp.org/HOWTO/html_single/Linux+IPv6-HOWTO/#FIREWALLING-NETFILTER6.
Ah. I didn’t think about doing it with ip6tables manually. Thanks for the tip. I’m used to having a hardware firewall, so I’m not an expert on software ones. Which is why I went with Ubuntu’s supposed easy to use ufw in the first place.
I’m really surprised that there are no guides about setting up the firewall to block forwarding incoming requests. Sure it’s important to firewall the server running as the gateway, but why does nobody care about protecting all the desktops and portable devices behind it? Seems like that should be a high priority. Especially since you just have to block everything to start with (I’d much rather have all the ports on my Windows boxes blocked and have bittorrent not work optimally then leave all ports open for instance). Then later people can figure out how to open specific ports if they need them.
In case anyone else is interested, to block incoming requests over TCP run: “ip6tables -I FORWARD -i he-ipv6 -p tcp –syn -j DROP”. I’m not sure about UDP, since the version of nmap I have won’t scan UDP ports over IPv6, but I ran “ip6tables -I FORWARD -i he-ipv6 -p udp -j DROP”. So hopefully that worked.
Thanks Ezra,
If you don’t mind, I’ll add the above to the tutorial as an extra. And once again, thanks for the info