Projects

TexMap
Sevtris

How-Tos

IPv6 Tunnel on Debian Squeeze

Setting up an IPv6 tunnel and router on Debian Squeeze with tunnelbroker.net

Scouring the net, I've found that how-tos which exist for setting up tunnels under Debian Linux focus on "easier to use" tunnel providers, such as SixXS or Gogo6/Freenet6, and/or are not targeted toward Debian Squeeze. This article will describe how to set up an IPv6 tunnel from Hurricane Electric's tunnelbroker.net on Debian Squeeze.

Debian Squeeze(or Debian 6) comes with pretty much everything you need for IPv6 right from the get-go. The first thing you'll need to do is hop on over to tunnelbroker.net and set up an account and a tunnel. After having done that, you'll need to set up your firewall rules and /etc/network/interfaces file using information from the tunnel details page.

Setting up firewall rules

First thing's first. You're not going to want to fire up that IPv6 tunnel only to realize you never set any firewall rules before hand. I have a ruleset here that I use which allows outgoing connections and only allows incoming ICMPv6 packets and incoming connections on port 22(SSH). The FORWARD rules are for other computers that connect to our IPv6 tunnel and get on the network.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i 6to4 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A INPUT -i 6to4 -p tcp -m tcp --dport 113 -m state --state NEW -j REJECT --reject-with icmp6-port-unreachable 
-A INPUT -i 6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p ipv6-icmp -j ACCEPT 
-A INPUT -i 6to4 -j DROP 

-A FORWARD -i 6to4 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A FORWARD -i 6to4 -p tcp -m tcp --dport 113 -m state --state NEW -j REJECT --reject-with icmp6-port-unreachable 
-A FORWARD -i 6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p ipv6-icmp -j ACCEPT 
-A FORWARD -i 6to4 -j DROP 

COMMIT

If you have some rather strict ipv4 rules set up as well, you may need to add a rule to allow "Protocol 41" through your firewall. A warning though, it is possible for someone to impersonate the other end of the IPv6 tunnel over Protocol 41 as there is no way of determining that it came from our server. If this is an issue to you, you should consider using a tunnel broker other than Hurrican Electric as they offer only Protocol 41 tunnels.

# iptables -I INPUT 1 -p 41 -s SERVER_IPV4_ENDPOINT -j ACCEPT

Substitute SERVER_IPV4_ENDPOINT for the "Server IPv4 address" on your tunnelbroker.net's tunnel page.

Setting up the tunnel


# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

# inet6 for eth0
iface eth0 inet6 static
	address CLIENT_IPV6_ADDRESS
	netmask 64

auto 6to4
iface 6to4 inet6 v4tunnel
	address CLIENT_IPV6_ENDPOINT
	netmask 64
	local CLIENT_IPV4_ENDPOINT
	endpoint SERVER_IPV4_ENDPOINT
	up ip route add ::/0 via SERVER_IPV6_ENDPOINT dev 6to4
	up ip route add ROUTED_64 dev eth0

In this example, you'll need to replace the variables with information you get on your tunnel details page. For instance, CLIENT_IPV6_ENDPOINT will be 2001:dead:beef:cafe::2/64 and SERVER_IPV6_ENDPOINT will be 2001:dead:beef:cafe::1/64. When filling in the address, local, and endpoint options, you should *not* include the /64 trailing the address. However, when you put in the addresses for your SERVER_IPV6_ENDPOINT and ROUTED_64 in the ip route commands, you should include the /64 after the address. Here's an example interfaces file: 

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

# inet6 for eth0
iface eth0 inet6 static
	address 2001:dead:beef:cafe::2
	netmask 64

auto 6to4
iface 6to4 inet6 v4tunnel
	address 2001:dead:beef:cafe::2
	netmask 64
	local 192.168.5.5
	endpoint 209.51.181.2
	up ip route add ::/0 via 2001:dead:beef:cafe::1/64 dev 6to4
	up ip route add 2001:dead:face:fade::/64 dev eth0

A note on the local option where you fill in the client endpoint, you can use the client IPv4 address listed on the tunnel page, but this may not always work if you're behind a NAT. On my setup, I set my pfsense firewall to allow Protocol 41 forwarding to my server, and then used my server's LAN ip address to set up this tunnel.

After setting up your interfaces file, you should bring eth0 down, then bring up eth0 and 6to4, and viola. You have a IPv6 tunnel set up and ready to use.

Enable forwarding

Now, before your next step, you'll want to enable forwarding. You can do this by running these two commands at the console as root:

# echo net.ipv6.conf.all.forwarding = 1 >> /etc/sysctl.conf
# sysctl -p

RADVD

So now you've got a fancy IPv6 tunnel set up and you want to tell the other machines on your network about it so they can have it too. You'll have to install the radvd package using 'apt-get install radvd'. Configuring radvd is pretty simple. Just edit /etc/radvd.conf to look like this:

interface eth0
{
	AdvSendAdvert on;
	prefix ROUTED_64
	{
		AdvOnLink on;
	};
};

As before, replace ROUTED_64 with the address space allocated to you by tunnelbroker.net(e.g. 2001:dead:face:fade::/64). Now other computers on your local network should get the router advertisement and automatically create an IPv6 address on the network.