Setting up a IPv6 Gateway on Hurricane Electric using Ubuntu 10.04.2

First thing you’ll need to do is register at the Hurricane Electric website and create your tunnel. I’m not going to go over that since there’s a lot  of help on the Hurricane Electric Website about it. These instructions only apply to you after you’ve registered as a user and set up your tunnel on there website.

These instruction’s  apply to Debian and Ubuntu derivatives, I’m sure they will work for other distributions with a little tweaking. Thanks to angelou on the Hurricane Electric web forum for doing most of the hard work. These instructions are mostly his work, with ufw firewall instructions are provided by me.

Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses below are used for documentation purposes only, see RFC 3849  (no point  showing everyone on the internet my home IPv6 address, that would just be silly :-) )

HE Server IPv4 Endpoint 216.66.22.2
Static IPv6 assignment from my routable range 2001:DB8:8:7aa::1
Client IPv6 Endpoint 2001:DB8:7:7aa::2

You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.

sudo nano /etc/network/interfaces
  • Adding static IPv6 address from my routable range.
  • Adding a static route to the Client IPv6 endpoint also called the he-ipv6 tunnel interface.
  • Please note that the IP’s are on different networks.
# Adding an IPv6 address to the eth0 interface.
# Interface up
up ip -6 addr add 2001:DB8:8:7aa::1/64 dev eth0

# Interface down
down ip -6 addr del 2001:DB8:8:7aa::1/64 dev eth0

The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done :-)

# IPv6 via Hurricane Electric Tunnel
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
endpoint 216.66.22.2
address 2001:DB8:7:7aa::2
netmask 64
ttl 255 

up ip -6 route add default dev he-ipv6
down ip -6 route del default dev he-ipv6

Now were going to install and configure radvd. First, install radvd.

sudo apt-get install radvd

Then configure radvd for your routed range.

sudo nano /etc/radvd.conf

The only part you have to change below, is the “prefix” which will be yours IPv6 prefix.

interface eth0
{
  AdvSendAdvert on;
  AdvLinkMTU 1480;
  prefix 2001:DB8:8:7aa::/64
    {
     AdvOnLink on;
     AdvAutonomous on;
 };
 };

Now your going to edit the sysctl.conf file so that when you reboot IPv6 will still be forwarded to other IPv6 enabled devices.

sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv6
# net.ipv6.conf.all.forwarding=1

Now were going to enable IPv6 forwarding on the fly.

sudo sysctl -p

All going well, you could bring up the interface followed by radvd and everything should work. However, I wouldn’t recommend it. Ever devices on your network that gets an IPv6 address would be visable to all IPv6 enabled devices on the internet (samba shares springs to mind).

Setting up a a ufw firewall under ubuntu for IPv6

Enable IPv6 support under ufw

sudo nano /etc/default/ufw

Change the following part to yes

# Set to yes to apply rules to support IPv6
# (no means only IPv6 on loopback # accepted).
# You will need to ‘disable’ and then ‘enable’
# the firewall for the changes to take affect.
IPV6=yes

Enable the default forward policy to Accept

# Set the default forward policy to ACCEPT, DROP or REJECT. 
# Please note that if you change this you will most likely
# want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

Now we need to enable UFW, at the terminal type :

sudo ufw enable

Like most people, I’m behind a firewall/router so I have a Private Class B Network Address same as most PC users these days. I would like to add access to all my network devices on my own network.

To do this I do the following at the terminal:

sudo ufw allow from 192.168.0.0/16

I want to allow IPv6 services from my HE Server IPv4 Endpoint, inbound and outbound. IPv6  over IPv4 tunnels (HE Electric) and 6to4 are supported by using the ‘ipv6′ pro‐
tocol (’41′).

sudo ufw allow from 216.66.22.2 proto ipv6

I would like to allow bootp services on port 67 from the radvd service.

sudo ufw allow proto any to any port 67

I want to allow access to services running on this Linux Gateway under my own ipv6 assigned routable range eg. ssh, samba within my own network only.

sudo ufw allow from 2001:DB8:8:7aa::/64

Ok, if you’ve followed the instructions correctly, you should now be able to bring up the IPv6 interface and ping an IPv6 address with no problem.

Bringing up the he-ipv6 interface.

sudo ifup he-ipv6

Now, if you type the following

ifconfig he-ipv6

You should see something similar to this:

he-ipv6   Link encap:IPv6-in-IPv4
inet6 addr: fe80::c0a8:10f/64 Scope:Link
inet6 addr: 2001:DB8:7:7aa::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
RX packets:121 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31141 (31.1 KB)  TX bytes:17224 (17.2 KB)

Now to test the tunnel.

ping6 -c 5 ipv6.google.com

You should get the following ping replies if your tunnel is working correctly.

PING ipv6.google.com(2a00:1450:8006::63) 56 data bytes
64 bytes from 2a00:1450:8006::63: icmp_seq=1 ttl=56 time=235 ms
64 bytes from 2a00:1450:8006::63: icmp_seq=2 ttl=56 time=200 ms
64 bytes from 2a00:1450:8006::63: icmp_seq=3 ttl=56 time=199 ms
64 bytes from 2a00:1450:8006::63: icmp_seq=4 ttl=56 time=199 ms
64 bytes from 2a00:1450:8006::63: icmp_seq=5 ttl=56 time=198 ms

--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 198.680/206.723/235.849/14.576 ms

That’s it, all done! :-D

Hint: Any other Linux workstation, Vista and Windows 7  workstation that you have on your home network will automatically get an IPv6 address and will be accessible externally (outside your home network). So I would suggest that you firewall them and use the host scan tool provided by HE Electric to test them.

Optional

Alternatively, you can turn the Gateway into an IPv6 Firewall, and only allow IPv6 traffic that originates from your network, blocking all incoming traffic that doesn’t originate from within your network.

If you decide that you want to restrict all incoming IPv6 traffic from the Internet to your own local network, then you need to edit the file before6.rules, use the command to edit the file.

sudo nano /etc/ufw/before6.rules

Add the following before the commit command. Thanks to Ezra for pointing out the need for this.

Updated firewall rules below on 16/02/12.

# Allow full outgoing connection but no incoming connection.
-A ufw6-before-forward -i he-ipv6 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow "No Next Header" to be forwarded or proto=59
# See http://www.ietf.org/rfc/rfc1883.txt (not sure if the length
# is needed as all IPv6 headers should be that size anyway).
-A ufw6-before-forward -p ipv6-nonxt -m length --length 40 -j ACCEPT

# allow MULTICAST
# These 2 need to be open to enable Auto-Discovery.
-A ufw6-before-forward -p icmpv6 -s ff00::/8 -j ACCEPT
-A ufw6-before-forward -p icmpv6 -d ff00::/8 -j ACCEPT

# ok icmp codes
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

# Optional - Allow bittorent clients on port 51413
-A ufw6-before-forward -i he-ipv6 -p tcp --dport 51413 -j ACCEPT
-A ufw6-before-forward -i he-ipv6 -p udp --dport 51413 -j ACCEPT

# Blocking incoming TCP connection requests to hosts behind this router.
-A ufw6-before-forward -i he-ipv6 -j ufw6-logging-deny
-A ufw6-before-forward -i he-ipv6 -j DROP

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Done :-D

References:

Hurricane Electric – Tunnel Broker
IPv6 Universal TCP Port Scanner
Test your IPv6
Easy Config for Linux Router
Building a IPv6 Gateway
anyweb sample configurations
IPv6 – Ubuntu Wiki
Ubuntu UFW Firewall
Private Class B Network Address
Neighbor Discovery for IP Version 6
Radvd config manpage
Enabling IPv6 Privacy Extensions on Ubuntu Linux
IPv6 at home – A guide to getting started
IP6: Getting a functional DHCPv6 and Route Advertising together
Linux Home Automation – Home IPv6 Networking
Various DHCP Servers and Client configuration examples
Linux IPv6 HOWTO (en)
RDNSSD Not adding DNS servers to resolve.conf

6 thoughts on “Setting up a IPv6 Gateway on Hurricane Electric using Ubuntu 10.04.2

  1. This is the best guide I’ve found on doing this – thanks! Was running into lots of issues doing this on Hardy Heron but finally upgraded to latest LTS (10.04) and everything is working now :)

  2. So I would suggest that you firewall them and use the host scan tool provided by HE Electric to test them.

    Is it possible to do this with ufw on the gateway, or does it have to be done by each device? If it is possible on the gateway, could you explain how, as I’ve been trying to figure it out and google isn’t giving me any useful answers.

  3. Ah. I didn’t think about doing it with ip6tables manually. Thanks for the tip. I’m used to having a hardware firewall, so I’m not an expert on software ones. Which is why I went with Ubuntu’s supposed easy to use ufw in the first place.

    I’m really surprised that there are no guides about setting up the firewall to block forwarding incoming requests. Sure it’s important to firewall the server running as the gateway, but why does nobody care about protecting all the desktops and portable devices behind it? Seems like that should be a high priority. Especially since you just have to block everything to start with (I’d much rather have all the ports on my Windows boxes blocked and have bittorrent not work optimally then leave all ports open for instance). Then later people can figure out how to open specific ports if they need them.

    In case anyone else is interested, to block incoming requests over TCP run: “ip6tables -I FORWARD -i he-ipv6 -p tcp –syn -j DROP”. I’m not sure about UDP, since the version of nmap I have won’t scan UDP ports over IPv6, but I ran “ip6tables -I FORWARD -i he-ipv6 -p udp -j DROP”. So hopefully that worked.

  4. Thanks Ezra,

    If you don’t mind, I’ll add the above to the tutorial as an extra. And once again, thanks for the info :-D

  5. Pingback: Plusnet IPv6 still delayed, so let’s go spelunking in a Hurricane Electric tunnel | Richard's Blog

Leave a Reply