Debian : activer l’IPv6 sur une instance EC2
- lundi 8 mai 2017
- Ecrire
# vim /etc/network/interfaces
auto eth0 iface eth0 inet dhcp post-up sleep 2 iface eth0 inet6 dhcp
Archives pour la catégorie ‘IPv6’
# vim /etc/network/interfaces
auto eth0 iface eth0 inet dhcp post-up sleep 2 iface eth0 inet6 dhcp
Template de firewall pour un serveur OpenVZ : [Téléchargement introuvable].
Pour plus d’informations, je vous renvoie à l’article « OpenVZ : accès IPv6 en mode Virtual Ethernet (veth) ».
# ifconfig igb0 80.0.0.1 alias # ifconfig igb0 80.0.0.1 -alias
# ifconfig igb0 inet6 2001:1:2:3::1 alias # ifconfig igb0 inet6 2001:1:2:3::1 -alias
Voici un exemple de fichier de règles firewall, généré avec Firewall Builder, dans le cas d’un cluster de deux firewalls PF sous FreeBSD.
Les règles PF employées couvrent quasiment toutes les fonctionnalités possibles :
A noter que je n’ai pas utilisé la gestion cluster de Firewall Builder ; les règles sont donc dupliquées pour chaque noeud.
Fichier de configuration (format v 5.1) : [Téléchargement introuvable]
http://serverfault.com/questions/184524/switch-to-ipv6-and-get-rid-of-nat-are-you-kidding
That said, there is no reason that NAT couldn’t be used in the exact same way it is being used in IPv4. In fact, a router could be designed to have one IPv6 address on the WAN port with an IPv4 private network behind it that NAT’s onto it(for example). This would be a simple solution for consumer and residential people. Another option is to put all devices with public IPv6 IP’s— the intermediate device then could act as a L2 device, but provide a state table, packet inspection, and fully functioning firewall. Essentially, no NAT, but still blocking any unsolicited inbound frames. The important thing to remember is that you shouldn’t plug your PC’s directly into your WAN connection with no intermediary device. Unless of course you want to rely on the Windows firewall. . . and that’s a different discussion. Every network, even home networks, need an edge device protecting the local network, in addition to using the Windows firewall.
Pour ma part, j’utilise du NAT66 avec PF sous BSD, ce qui correspond au mappage d’une IPv6 publique sur une IPv6 privée. Ceci pour deux raisons :
Un petit outil en ligne pour vérifier la connectivité IPv6 de bout en bout :
http://ipv6-test.com/validate.php
Mon blog est évidemment accessible en IPv6 !
Le driver CARP de FreeBSD 8.x contient un bug au niveau de la gestion IPv6. Au lieu d’ajouter chaque adresse IPv6 de l’interface CARP au groupe multicast ff02::1, le driver n’ajoute que la première adresse. Ainsi la prise en compte des alias n’est pas effective et la découverte du voisinage IPv6 n’aboutit pas :
ipv6_ifconfig_carp0="2001:1610:4::102 prefixlen 64" ipv6_ifconfig_carp0_alias0="2001:1610:4::113 prefixlen 64"
0.000000 fe80::223:4ff:fe17:f840 -> ff02::1:ff00:113 ICMPv6 86 Neighbor Solicitation 0.999052 fe80::223:4ff:fe17:f840 -> ff02::1:ff00:113 ICMPv6 86 Neighbor Solicitation 1.999103 fe80::223:4ff:fe17:f840 -> ff02::1:ff00:113 ICMPv6 86 Neighbor Solicitation 3.000220 fe80::223:4ff:fe17:f840 -> ff02::1:ff00:113 ICMPv6 86 Neighbor Solicitation
Pour corriger ce bug, Paul Herman propose un patch à appliquer aux sources de FreeBSD :
# cd /usr/src # zcat /path/to/carp_ip6_alias.patch.gz | patch
--- sys/netinet6/in6.c.orig 2011-08-19 07:08:30.000000000 +0000 +++ sys/netinet6/in6.c 2011-08-19 07:09:53.000000000 +0000 @@ -1743,7 +1743,7 @@ ia->ia_addr = *sin6; - if (ifacount <= 1 && ifp->if_ioctl) { + if ((ifacount <= 1 || ifp->if_type == IFT_CARP) && ifp->if_ioctl) { error = (*ifp->if_ioctl)(ifp, SIOCSIFADDR, (caddr_t)ia); if (error) { splx(s); --- sys/netinet/ip_carp.c.orig 2011-08-19 07:52:56.000000000 +0000 +++ sys/netinet/ip_carp.c 2011-08-19 07:15:03.000000000 +0000 @@ -1670,9 +1670,11 @@ struct carp_if *cif; struct in6_ifaddr *ia, *ia_if; struct ip6_moptions *im6o = &sc->sc_im6o; + struct in6_multi *in6m; struct in6_addr in6; int own, error; + error = 0; if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { @@ -1729,8 +1731,6 @@ } if (!sc->sc_naddrs6) { - struct in6_multi *in6m; - im6o->im6o_multicast_ifp = ifp; /* join CARP multicast address */ @@ -1745,24 +1745,24 @@ goto cleanup; im6o->im6o_membership[0] = in6m; im6o->im6o_num_memberships++; - - /* join solicited multicast address */ - bzero(&in6, sizeof(in6)); - in6.s6_addr16[0] = htons(0xff02); - in6.s6_addr32[1] = 0; - in6.s6_addr32[2] = htonl(1); - in6.s6_addr32[3] = sin6->sin6_addr.s6_addr32[3]; - in6.s6_addr8[12] = 0xff; - if (in6_setscope(&in6, ifp, NULL) != 0) - goto cleanup; - in6m = NULL; - error = in6_mc_join(ifp, &in6, NULL, &in6m, 0); - if (error) - goto cleanup; - im6o->im6o_membership[1] = in6m; - im6o->im6o_num_memberships++; } + /* join solicited multicast address */ + bzero(&in6, sizeof(in6)); + in6.s6_addr16[0] = htons(0xff02); + in6.s6_addr32[1] = 0; + in6.s6_addr32[2] = htonl(1); + in6.s6_addr32[3] = sin6->sin6_addr.s6_addr32[3]; + in6.s6_addr8[12] = 0xff; + if (in6_setscope(&in6, ifp, NULL) != 0) + goto cleanup; + in6m = NULL; + error = in6_mc_join(ifp, &in6, NULL, &in6m, 0); + if (error) + goto cleanup; + im6o->im6o_membership[1] = in6m; + im6o->im6o_num_memberships++; + if (!ifp->if_carp) { cif = malloc(sizeof(*cif), M_CARP, M_WAITOK|M_ZERO);
Une fois le noyau de l’hôte patché, le test par ping externe est concluant.
Patch : [Téléchargement introuvable]
burns ~ # more /etc/conf.d/net
config_eth0="10.0.0.13 netmask 255.0.0.0 brd 10.255.255.255 fdfe:cd5e:234c:8277::4/64" routes_eth0="default gw 10.0.0.1 default via fdfe:cd5e:234c:8277::1"
root@skinner:~# more /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.11 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1 up ip -6 addr add fdfe:cd5e:234c:8277::8/64 dev eth0 up ip -6 route add default via fdfe:cd5e:234c:8277::1 down ip -6 addr del fdfe:cd5e:234c:8277::8/64 dev eth0 down ip -6 route del default via fdfe:cd5e:234c:8277::1