It was time for me to start using the #IPv6.
My VPS hosting provider: edis have already allocated me a
2a01:7a0:10:158:255:214:14:0/112
and some extra info
Gateway:
2a01:7a0:10::1
Nameserver:
2a03:f80:ed15:ed15:ed15:ed15:d8b9:da76
2a03:f80:ed15:ca7:ea75:b12d:7b0:3e5b
I have two network cards (I run my own AUTH-NS server and some greek registrars require two different IPs for that).
I have split up the above /112 to two /113 subnets.
2a01:7a0:10:158:255:214:14::/113
2a01:7a0:10:158:255:214:14:8000/113
My settings are based on CentOS 6.6 as the time of this article.
Part Zero: kernel
First thing first, tell kernel to support ipv6 by editing: /etc/sysctl.conf
comment (if there is) the below line:
# net.ipv6.conf.all.disable_ipv6=1
This mean that next time you reboot your machine, ipv6 will be enabled.
There is another way, if you dont want to reboot your vps, by running as root:
sysctl net.ipv6.conf.all.disable_ipv6=0
Part One: Network
Edit your ifcfg-eth* files:
/etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14::/123
IPV6ADDR_SECONDARIES=”2a01:7a0:10:158:255:214:14:80/123”
IPV6_DEFAULTGW=2a01:7a0:10::1
/etc/sysconfig/network-scripts/ifcfg-eth1
IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14:8000/113
IPV6_DEFAULTGW=2a01:7a0:10::1
PLZ dont get confused about eth0. I will circle back to this.
Restart your network:
/etc/init.d/network restart
and verify your network settings:
ip -6 a
ip -6 r
Part Two: Firewall
My default policy is DROP everything and open only the ports you are running services.
Same rule applies for IPv6 too.
:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
:FORWARD DROP [0:0]
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
:OUTPUT ACCEPT [0:0]
At this moment, i only accept PING6 to my VPS server.
Testing this from another machine (with ipv6 support):
ping6 -c3 2a01:7a0:10:158:255:214:14::
and the result is something like this:
PING 2a01:7a0:10:158:255:214:14::(2a01:7a0:10:158:255:214:14:0) 56 data bytes
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=1 ttl=60 time=72.5 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=2 ttl=60 time=66.9 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=3 ttl=60 time=66.3 ms— 2a01:7a0:10:158:255:214:14:: ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2067ms
rtt min/avg/max/mdev = 66.355/68.618/72.573/2.822 ms
At this point we are very happy with our selfs (ipv6 related)!
Part Three: Web Server
What’s the point of having an ipv6 server and not apply some services on ?
Lets start with the apache web server.
I’ve split up my eth0 to /123 subnets cause i want to use different IPs for every service i have.
Thats way my eth0 is like that.
I chose the 2a01:7a0:10:158:255:214:14:80 as my ipv6 ip for my site.
Our web server needs to listen to ipv6.
This is tricky cause apache on ipv6 is using : as a delimiter.
So my http changes are something like these:
Listen 158.255.214.14:80
Listen [2a01:7a0:10:158:255:214:14:80]:80
to support virtual hosts:
NameVirtualHost 158.255.214.14:80
NameVirtualHost [2a01:7a0:10:158:255:214:14:80]:80
To dual stack my site:
‹ VirtualHost 158.255.214.14:80 [2a01:7a0:10:158:255:214:14:80]:80 ›
restart your apache:
/etc/init.d/httpd restart
Dont forget to manipulate your firewall settings:
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14:80/123 –dport 80 -j ACCEPT
restart your firewall:
/etc/init.d/ip6tables restart
Part Four: DNS
The only thing that is left for us to do, is to add a AAAA resource record in our dns zone:
in my bind-file format zone: balaskas.gr
@ IN AAAA 2a01:7a0:10:158:255:214:14:80
you have to increment the SERIAL number in your zone and then reload your zone.
I use PowerDNS so it’s:
# pdns_control reload balaskas.gr
Ok
Part Five: Validate
To validate your dual stack web site, you use go through:
UPDATE: 2015 03 23
Part Six: Mail Server
Imap Server
I use dovecot for imap server. To enable IPv6 in dovecot is really easy. You just uncomment or edit Listen parameter:
listen = *, ::
restart dovecot service and check the dovecot conf:
# doveconf | grep ^listen
listen = *, ::
I use STARTTLS, so my firewall settings should be like these:
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 143 -j ACCEPT
Just dont forget to restart and verify your ip6table !
SMTP Server
It’s really easy for postfix (my SMTP server) too. You just have to remember that you need to use brackets for [b]IPv6[/url].
## mynetworks = 127.0.0.0/8 158.255.214.14/31
mynetworks = 127.0.0.0/8 158.255.214.14/31 [2a01:7a0:10:158:255:214:14::]/112## inet_protocols = ipv4
inet_protocols = all
restart your smtp service and you are OK.
Firewall settings: /etc/sysconfig/ip6tables
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 25 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 587 -j ACCEPT