Jan 022013
 

For those who are using IPv6, you will likely also want to setup iptables rules similar to those used for IPv4 traffic. There are some slight differences between the two and this post is meant to point out just a couple.

I have a very basic iptables template that looks like the following.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# allow incoming ssh connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Here is the equivalent ip6tables template.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# allow incoming ssh connections
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Here you can see that the icmp protocol is now referred to as ipv6-icmp. Also, there is no icmp-host-prohibited qualifier. The equivalent qualifier for IPv6 is icmp6-adm-prohibited. These are the only two I have encountered (so far). Please feel free to leave a list of more in the comments and I will update the post.

 Posted by at 20:45
Feb 032011
 

I recently setup a VPS with Arp Networks. By default they set you up with your own IPv6 block. All you need to do is configure it to meet your needs. I reinstalled the VPS with Ubuntu Lucid (which is not one of their default OSes) so I needed to reconfigure my interface to use one of my assigned v6 addresses. The process is extremely easy. Here is the relevant section of my /etc/network/interfaces file:

iface eth0 inet6 static
        address 2607:f2f8:a230::2
        gateway 2607:f2f8:a230::1
        netmask 64

After restarting networking, I was able to reach the machine via IPv6. You can verify the results of this by testing soljerome.com at http://ipv6-test.com/validate.php. Now that I’m IPv6 ready, I just wish that Comcast would finish their dual-stack rollout so I can use it natively from home. Seeing as how the IANA just allocated the final five /8 blocks of IPv4 address space, I’m hoping that the rollout happens sooner rather than later.

 Posted by at 10:22