Evaggelos Balaskas - System Engineer

The sky above the port was the color of television, tuned to a dead channel

Blog
Posts
Wiki
About
Contact
rss.png twitter linkedin github gitlab profile for ebal on Stack Exchange

web bank security »
  -  
« trying ipv6 only web
Mar
20
2015
One step closer to IPv6
Posted by ebal at 14:21:49 in blog, planet_ellak, planet_Sysadmin

It was time for me to start using the #IPv6.

My VPS hosting provider: edis have already allocated me a

2a01:7a0:10:158:255:214:14:0/112

and some extra info

Gateway:
     2a01:7a0:10::1
Nameserver:
     2a03:f80:ed15:ed15:ed15:ed15:d8b9:da76
     2a03:f80:ed15:ca7:ea75:b12d:7b0:3e5b

I have two network cards (I run my own AUTH-NS server and some greek registrars require two different IPs for that).

I have split up the above /112 to two /113 subnets.

2a01:7a0:10:158:255:214:14::/113
2a01:7a0:10:158:255:214:14:8000/113

My settings are based on CentOS 6.6 as the time of this article.

 

Part Zero: kernel

 

First thing first, tell kernel to support ipv6 by editing: /etc/sysctl.conf

comment (if there is) the below line:

# net.ipv6.conf.all.disable_ipv6=1

This mean that next time you reboot your machine, ipv6 will be enabled.
There is another way, if you dont want to reboot your vps, by running as root:


sysctl net.ipv6.conf.all.disable_ipv6=0 

 

Part One: Network

 

Edit your ifcfg-eth* files:

/etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14::/123
IPV6ADDR_SECONDARIES=”2a01:7a0:10:158:255:214:14:80/123”
IPV6_DEFAULTGW=2a01:7a0:10::1

/etc/sysconfig/network-scripts/ifcfg-eth1

IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14:8000/113
IPV6_DEFAULTGW=2a01:7a0:10::1

PLZ dont get confused about eth0. I will circle back to this.

Restart your network:


/etc/init.d/network restart 

and verify your network settings:


 ip -6 a
 ip -6 r

 

Part Two: Firewall

 

My default policy is DROP everything and open only the ports you are running services.
Same rule applies for IPv6 too.

:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
:FORWARD DROP [0:0]
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
:OUTPUT ACCEPT [0:0]

At this moment, i only accept PING6 to my VPS server.
Testing this from another machine (with ipv6 support):


 ping6 -c3 2a01:7a0:10:158:255:214:14::

and the result is something like this:

PING 2a01:7a0:10:158:255:214:14::(2a01:7a0:10:158:255:214:14:0) 56 data bytes
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=1 ttl=60 time=72.5 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=2 ttl=60 time=66.9 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=3 ttl=60 time=66.3 ms

— 2a01:7a0:10:158:255:214:14:: ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2067ms
rtt min/avg/max/mdev = 66.355/68.618/72.573/2.822 ms

At this point we are very happy with our selfs (ipv6 related)!

 

Part Three: Web Server

 

What’s the point of having an ipv6 server and not apply some services on ?
Lets start with the apache web server.

I’ve split up my eth0 to /123 subnets cause i want to use different IPs for every service i have.
Thats way my eth0 is like that.

I chose the 2a01:7a0:10:158:255:214:14:80 as my ipv6 ip for my site.

Our web server needs to listen to ipv6.

This is tricky cause apache on ipv6 is using : as a delimiter.
So my http changes are something like these:

Listen 158.255.214.14:80
Listen [2a01:7a0:10:158:255:214:14:80]:80

to support virtual hosts:

NameVirtualHost 158.255.214.14:80
NameVirtualHost [2a01:7a0:10:158:255:214:14:80]:80

To dual stack my site:

‹ VirtualHost 158.255.214.14:80 [2a01:7a0:10:158:255:214:14:80]:80 ›

restart your apache:


/etc/init.d/httpd restart

Dont forget to manipulate your firewall settings:

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14:80/123 –dport 80 -j ACCEPT

restart your firewall:


/etc/init.d/ip6tables restart

 

Part Four: DNS

 

The only thing that is left for us to do, is to add a AAAA resource record in our dns zone:

in my bind-file format zone: balaskas.gr

@ IN AAAA 2a01:7a0:10:158:255:214:14:80

you have to increment the SERIAL number in your zone and then reload your zone.
I use PowerDNS so it’s:


# pdns_control reload balaskas.gr
Ok

 

Part Five: Validate

 

To validate your dual stack web site, you use go through:

ipv6-test

 

 

UPDATE: 2015 03 23

 

 

Part Six: Mail Server

Imap Server

I use dovecot for imap server. To enable IPv6 in dovecot is really easy. You just uncomment or edit Listen parameter:

listen = *, ::

restart dovecot service and check the dovecot conf:


# doveconf | grep ^listen
listen = *, ::

I use STARTTLS, so my firewall settings should be like these:

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 143 -j ACCEPT

Just dont forget to restart and verify your ip6table !

SMTP Server

It’s really easy for postfix (my SMTP server) too. You just have to remember that you need to use brackets for [b]IPv6[/url].

## mynetworks = 127.0.0.0/8 158.255.214.14/31
mynetworks = 127.0.0.0/8 158.255.214.14/31 [2a01:7a0:10:158:255:214:14::]/112

## inet_protocols = ipv4
inet_protocols = all

restart your smtp service and you are OK.

Firewall settings: /etc/sysconfig/ip6tables

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 25 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 587 -j ACCEPT

Tag(s): ipv6
    Tag: ipv6
web bank security »
  -  
« trying ipv6 only web

Search

Admin area

  • Login

Categories

  • blog
  • wiki
  • pirsynd
  • midori
  • books
  • archlinux
  • movies
  • xfce
  • code
  • beer
  • planet_ellak
  • planet_Sysadmin
  • microblogging
  • UH572
  • KoboGlo
  • planet_fsfe

Archives

  • 2025
    • April
    • March
    • February
  • 2024
    • November
    • October
    • August
    • April
    • March
  • 2023
    • May
    • April
  • 2022
    • November
    • October
    • August
    • February
  • 2021
    • November
    • July
    • June
    • May
    • April
    • March
    • February
  • 2020
    • December
    • November
    • September
    • August
    • June
    • May
    • April
    • March
    • January
  • 2019
    • December
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2018
    • December
    • November
    • October
    • September
    • August
    • June
    • May
    • April
    • March
    • February
    • January
  • 2017
    • December
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2016
    • December
    • November
    • October
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2015
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • January
  • 2014
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2013
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2012
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2011
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2010
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2009
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
Ευάγγελος.Μπαλάσκας.gr

License GNU FDL 1.3 - CC BY-SA 3.0