OVH Community, your new community space.

IPv6 help please


Myatu
09-02-2011, 19:47
Quote Originally Posted by sircolin
it would help if you could advise on which ipv6 address i would need to add the the shorewall6/rules file, to ssh to the host via ipv6 this would serve as an example and give me something to test the firewall with ( would this be the address in ovh manager? if so i need to change something)
In /etc/shorewall6/rules you can define something like this:

Code:
### SSH only to the listed IPv6 address
SSH/ACCEPT    net    fw:<2001:41d0:1:abcd::1>
###
The IPv6 address above serves as an example; It show how to limit SSH to only one IPv6 address assigned to your host/main server. That of course means that this IP address should be configured in the host/main server's network settings.

If you don't wish to have this limitation -- that is, SSH is acceptable on any of the IPv6 addresses configured on your host/main server -- simply reduce the rule to:

Code:
SSH/ACCEPT    net     fw

sircolin
09-02-2011, 08:40
Thanks i've been up all night working on this i was trying to adapt my 3 zone shorewall setup and but have spent most of the night reading shorewall, ipv6 man pages i think i have a working setup kinda, need to test it. more or less followed all you blogs + posts

it would help if you could advise on which ipv6 address i would need to add the the shorewall6/rules file, to ssh to the host via ipv6 this would serve as an example and give me something to test the firewall with ( would this be the address in ovh manager? if so i need to change something)

im a little confused since i thought it sure work with my current setup i have of course added a ip in the ovh manager and to my name servers but it still fails il keep reading and checking for now.

Col

Myatu
08-02-2011, 22:11
Quote Originally Posted by sircolin
any idea about putting this into /etc/shorewall6/interfaces
Code:
net     eth0            detect          tcpflags,routefilter,nosmurfs,logmartians
For IPv6, tcpflags is possible (as that is TCP specific opposed to IPvX specific).

But the other 3 - routefilter, nosmurfs and logmartians, are NAT specific (which IPv6 doesn't have; "128-bits ought to be enough" ).

sircolin
08-02-2011, 13:19
@ Myatu

What a great post once again, bleeding edge as normal

any idea about putting this into /etc/shorewall6/interfaces
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
Col

Myatu
30-06-2010, 19:49
I have it detailed on my blog: here and here.

Although those Shorewall blog entries are still valid, with the introduction of the virtual MACs, you can simplify it a bit. I think that with reading this, it'll take about 30 mins to get it fully operational, ready for your customizations.

But I'll (try to) give a brief outline here. Some things to note:

  • When I mention "Host" I'm referring to the main dedicated server on which Proxmox is running.
  • I'm making an assumption that you're using a recent install from OVH, which has one "vmbr0" bridge, linked with "eth0".
  • When I use "..." in files / configurations, I refer to "existing data" that remains unmodified.


1. Change APT's behaviour on the host:

Because Shorewall6, the IPv6 version, isn't available in Debian's "Stable" repository, add the "Unstable" branch but give priority to what's in the "Stable" branch (rather than APT assuming that a higher version number = better):

Code:
echo deb http://ftp.fr.debian.org/debian sid main >> /etc/apt/sources.list
Edit/Create /etc/apt/preferences:
Code:
Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=unstable
Pin-Priority: 600
2) Shorewall for IPv4:

Install it:

Code:
apt-get install shorewall/unstable
Configure it:

*Note: See directory /usr/share/shorewall/ for macros

To enable IPv6 (yes, from IPv4 version) and blacklisting on existing connections:

Edit /etc/shorewall/shorewall.conf:

Code:
...
DISABLE_IPV6=No
...
BLACKLISTNEWONLY=No
...
*Note: Also make sure that TC_ENABLED is the same in both /etc/shorewall/shorewall.conf and /etc/shorewall6/shorewall6.conf

The following will probably not be needed at this point, but will save you a headache later on:

Edit /etc/shorewall/init:

Code:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Define the interfaces on this system (this will depend on your configuration. Again, I'm assuming a basic OVH Proxmox 1.4/1.5 install):

Create /etc/shorewall/interfaces:

Code:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     vmbr0           detect          routeback,bridge
Define "Zones":

Create /etc/shorewall/zones:

Code:
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall

# NET (Untrusted) Zone
net     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Set a default firewall policy (which can be overridden with rules). In this case, outside traffic (from the "net" zone - or vmbr0) is dropped (into a black hole - so no responses are sent). The last policy is a safeguard, in case you forgot to configure something.

Create /etc/shorewall/policy:

Code:
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                                       LEVEL   BURST           MASK

# From Firewall:
fw              fw      ACCEPT
fw              net    ACCEPT

# From NET (Untusted) Zone
net             fw      DROP            info
net             net     DROP            info

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info

#LAST LINE -- DO NOT REMOVE
Now we override the policy with some rules that we must have, most importantly, SSH (Shell) access - don't want to lock ourselves out! We're also allowing us to be ping-able from anywhere, which is always helpful.

Create /etc/shorewall/rules:

Code:
#ACTION         SOURCE  DEST                    PROTO   DEST            SOURCE          ORIGINAL        RATE            USER/    MARK    CONNLIMIT       TIME
#                                                       PORT            PORT(S)         DEST            LIMIT            GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

### Proxmox
SSH/ACCEPT              net     fw            -       -               -               -               6/min:5
ACCEPT                  net     fw                      tcp     443,5900:5910
###

### PING Rules
Ping/ACCEPT             all     all
###

### Drop NewNotSyn packets
dropNotSyn              net     all                     tcp
###

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
That's your very configuration for IPv4. What you do now is issue the following command:

Code:
shorewall restart
*Note: Do NOT use something like /etc/init.d/shorewall restart.

Now check if Shorewall has given any error messages (it'll stop at the point the error occurred) and fix it accordingly.

If it started without any issues, start a NEW SSH connection to double check you haven't locked yourself out (the existing one will remain open). If you did, remember to add the SSH/ACCEPT rule

If everything works as expected and you want to keep these firewall settings upon reboot:

Edit /etc/shorewall/default:

Code:
...
startup=1
3) Shorewall for IPv6:

*Note: Consider the IPv4 and IPv6 firewalls to be two completely separate ones - in other words, whatever the IPv6 firewall won't catch is NOT picked up by the IPv4 one and vice versa! This is very important to remember, or else you might leave "holes".

Install it:

Code:
apt-get install shorewall6/unstable
Configure it:

First we start by defining the interfaces. Create /etc/shorewall6/interfaces:

Code:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     vmbr0           detect          routeback,bridge
And the zones by creating /etc/shorewall6/zones:

Code:
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv6
Set the default policies by creating /etc/shorewall6/policy:

Code:
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                                       LEVEL   BURST           MASK

# From Firewall:
fw              fw      ACCEPT
fw              net     ACCEPT

# NET (Untusted) Zone
net             fw      DROP            info
net             net     DROP            info

# The FOLLOWING POLICY MUST BE LAST
all     all     REJECT          info
#LAST LINE -- DO NOT REMOVE
Give it some rules to override our default policy, by creating /etc/shorewall6/rules:

Code:
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK  CONNLIMIT        TIME
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

### SSH only to the listed IPv6 address
SSH/ACCEPT              net             fw:<2001:41d0:1:abcd::1>
###

### PING Rules
Ping/ACCEPT             all             all
###

### Drop NewNotSyn
dropNotSyn              red             all             tcp
###
I've added the SSH/ACCEPT as an example, to show you how you can specifically specify an IPv6 address. You can omit this or change accordingly.

To (re)start the IPv6 firewall, use:

Code:
shorewall6 restart
*Note: As with the IPv4 version, do NOT use the /etc/init.d/shorewall6 script.

Once satisfied and have it load at boot time, edit /etc/default/shorewall6:

Code:
...
startup=1
4) Additional info:

For both the shorewall and shorewall6 commands, you can use "start", "stop", "restart" and various others (use "shorewall -h" for more details).

If you add a failover IPv4/IPv6 directly to a VM, make sure the firewall actually blocks traffic to/from it as per its policy -- don't assume that shorewall will. The "net net DROP info" policy should take care of this though. You definitely want to read Shorewall's docs for more info on setting up per-IP firewall rules.

I'll post a blog one of these days about the more "expanded" setup I'm using with different zones, which can also be used with a server as a dedicated firewall (something zydron asked about).

makno
30-06-2010, 18:17
myatu do you have a link to an *****proof guide to setup shorewall? i won't mind going through the usual literature before asking but i'm absolutely swamped by work and 1 hour a day to dedicate to the server seems to be too little

makno
21-06-2010, 15:43
i'll give shorewall a try on the spare ipfailover let's see what happens

Myatu
20-06-2010, 18:03
I've been using Vyatta for a while, but have dumped as of 2 days ago because of the numerous bugs it has and the ARP issues (and some very basic bugs too, making me question the security of Vyatta itself if there's such a lack of QA testing).

It's back to Shorewall for IPv6 support on my end - no handy GUI, but still simple to setup and maintain.

For IPv4, I'm still mucking with "Endian" (also based on IPCop/Smoothwall, but it's a pain in the rear end in regards to non-persistent network naming - you add a NIC, it may knock you offline). pfSense is a decent one (no IPv6 - anxious for the 2.0 release) as well as Zeroshell (also no IPv6...). I'm undecided...

So check out Shorewall for IPv6: http://www.shorewall.net - it has proven itself for quite some time

makno
20-06-2010, 10:52
i think the problems lies in ipcop which doesn't support ipv6 and runs an old kernel without ipv6 support too. i've tried setyting up m0n0wall but it seems it doesn't like the netwrok configuration as a further test with smoothwall worked in 10 minutes. problem is smoothwall is the same as ipcop

Myatu
17-06-2010, 19:45
Firstly, the kernel needs to support IPv6 - both the one using IPCop and the VPS-es. If you're using VZ for virtualisation in Proxmox, you also need to set

Code:
IPV6="yes"
in the file /etc/vz/vz.conf.

Also keep in mind that quite a number of firewalls disable IPv6 by default (even if you were to add rules) - not sure about IPCop, but check if you specifically need to enable IPv6.

You could put a NDP proxy in between, so the route remains discoverable, but manually setting it will work too (See "Routing" section in http://help.ovh.co.uk/Ipv4Ipv6).

And of course, using "ping6" and "tracert6"

makno
17-06-2010, 18:13
Here is the scenario: proxmox cluster with some virtual machines running.
I have assigned the virtual macs to the failover ips without any problem but more than that one machine is used as a router for a few smaller machines.
Now the "router" vps is running ipcop and all the vps connected to it have no problems with ipv4 connection but i can't get ipv6 working on them. I've enabled ipv6 and ipv6 forwarding on the cluster.
if i try to ping6 anythin i get an
connect: Network is unreachable

message. Do i need to set a different gateway?