January 19th, 2004
A lot of people have asked about IPv6 in Debian. There have been some instructions floating around, but all of them I’ve seen are overly complex. Here’s how to set up your own 6to4 tunnel in about 5 minutes (assuming your kernel is IPV6-ready), without the need of freenet6 or any other tunnel broker. You need only a real IP address (static is best) and a basic understanding of IPv6 to proceed. This article will configure your host or your router.
These instructions set you up with 6to4, which requires no outside tunnel broker. However, there are not many 6to4 routers out there. If you are connecting to other non-6to4 sites, chances are god that performance will not be good. This is not a flaw in IPv6 itself. I suggest setting up 6to4 first, since it is fairly easy; once you have it working, then move on to others if you like.
First, you need to obtain an IPV6-ready kernel. I strongly recommend 2.6.1 or above if possible. Check the IPv6 kernel system check page to make sure your kernel is IPV6-ready, and for info on compiling a new kernel if not. In addition to basic IPv6, I also recommend that you compile in IPv6 netfilter support.
Next, you need to add a tunnel to your /etc/network/interfaces file. First, you will need to know your public IP address in IPv4. It will look something like 10.20.30.40. Next, you need to get that in IPv6 notation. Here’s a quick shell script to do that:
printf “2002:%x%02x:%x%02x::\n” `echo $1 | sed ‘s/\./ /g’`
Just run that with your IP address as an argument. In this example, for 10.20.30.40, the result is 2002:a14:1e28::. This is your prefix. All your IP addresses will begin with that. Please see the link above for more on IPv6 addressing if you don’t understand the “::” part of this.
Now, you have all the information to create your own IPv6 tunnel. Edit /etc/network/interfaces and add these lines:
iface sit1 inet6 v4tunnel
up ip -6 route add 2000::/3 via ::220.127.116.11 dev sit1
down ip -6 route flush dev sit1
The address line contains the IPv6 address you calculated above, followed by a “2”. The local line contains your local IP address. Now bring up the link with ifup sit1. You should now be able to run ping6 www.ipv6.org and get results back. If you don’t have ping6 on your system, install the iputils-ping package. If this works, add sit1 to the auto line in /etc/network/interfaces.
The /etc/network/ipv6rules.sh is a little script that closes off some ports to your system. If you don’t want to use it, delete that “up” line. Here’s one version that I recommend:
ip6tables -I INPUT -i sit+ -p tcp –syn -j DROP
ip6tables -I FORWARD -i sit+ -p tcp –syn -j DROP
ip6tables -I INPUT -i sit+ -p udp \! –dport 32768:60999 -j DROP
ip6tables -I FORWARD -i sit+ -p udp \! –dport 32768:60999 -j DROP
ip6tables -I INPUT -i sit+ -p tcp –dport 22 -j ACCEPT
ip6tables -I FORWARD -i sit+ -p tcp –dport 22 -j ACCEPT
# Uncomment the following lines if this is a router
#echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
#echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
#echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
#echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
#echo 0 > /proc/sys/net/ipv6/conf/all/router_solicitations
This script will close off incoming TCP connections, and UDP connections to low UDP ports, except for TCP to port 22 (ssh).
If you are setting up a host, you’re done. If this is a router, read on…
If you’re setting up a router, there are a couple more quick steps. First, you need to configure your ethernet interface for ipv6. Insert a clause like this in /etc/network/interfaces:
iface eth0 inet6 static
Of course, replace the first first part of “address” with your real IPv6 address. (Note the added “:1::1″ after the address.) Now run ifdown eth0; ifup eth0 to make the changes take effect.
Next, apt-get install radvd and edit /etc/radvd.conf. It should end up looking like this:
Mind the semicolons (and lack thereof); radvd is picky. Now /etc/init.d/radvd restart and use ps to make sure it’s running. radvd is similar to dhcp for IPv6, but a lot easier.
At this point, your IPv6 network is ready. All clients on your network that are IPv6 capable should automatically assign themselves an IPv6 address and be ready to go. For Debian clients, all you need is IPv6 support in your kernel; you do not need to do anything on them at all.
- Added a note about performance (1/19/2003 7PM). Suggested by Jeroen Massar.
- Adjusted netmasks and router subnet (1/20). Suggested by Jeroen Massar.
- Added ttl 64 (1/20). Adapted from a suggested from Thomas Habets.
- Corrected sit0 to read sit1