IPv6 – Page 2

Postfix with IPv6

September 3, 2010 by Igor Drobot Leave a Comment

In this how to I describe the basically configuration and administration of Postfix on Debian Lenny.
Current I’m using Postfix version 2.5.5
This tutorial should working with older and newer versions.

1 2	postconf -d \| grep "mail_version =" \| cut -d" " -f 3 2.5.5

You can find the postfix main configuration file under “/etc/postfix”
Let see what wee need to configure a working Internet Mail-Server

1	postfix ~ # vim /etc/postfix/main.cf

My example configuration:

myhostname = ipv6.postfix.idrobot.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ipv6.postfix.idrobot.net, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
smtp_bind_address6 = 2a01:4f8:101:265::37
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
bounce_template_file = /etc/postfix/bounce.cf

If you want to relay your mails to another mail-server you can use the relayhost option:
Edit main.cf, and add this line:

1	relayhost = ipv6.mx.idrobot.net

Some administration commands:
Show running config:

1	postconf -n

Show the default postfix config instead of running one:

1	postconf -d

Show message content:

1	postcat -q 7FB942082

Delete all mail in queue:

1	postsuper -d ALL

Schedule immediate delivery:

1	postqueue -i 7FB942082

Flush the queue:

1	postqueue -f

Nokia N900 IPv6 Support

September 3, 2010 by Igor Drobot Leave a Comment

1. Launch the X-Terminal application
2. Type in the command: “sudo gainroot”
3. Type in “apt-get install kernel-power-flasher” to launch the request to install the IPv6-enabled kernel available at Extras-Testing repository
4. Accept ll confirmations
5. After finishing the download, the new kernel will be flashed automatically to your N900 device. Now turn of the device and then turn on the device to reboot.

Now you are able to use ipv6 module

To add very simple ipv6 address install “IPROUTE” to use “ip” command.

1	ip -6 a a 2001:470:1f0b:1514::100/64 dev wlan0

Hurricane-Electric IPv6 certification

August 16, 2010 by Igor Drobot 1 Comment

I think you have heard already of IPv4 address depletion. A new version of Internet addressing (New Internet protocol) system was prepared many years ago. But since everyone was using IPv4 address, the migration has not been implemented in a large scale. If we continue to use IPv4 address as on today, the entire range would be used up in less than one years. (Hurricane-Electric has a very nice counter.) Public IPv4 addresses are mainly used by Internet servers. Other PCs or Servers can use private IPv4 address which are not reachable from Internet. Although many methods like NAT (Network Address Translation) and CIDR (Classless Inter Domain Routing) were implemented to stretch the IPv4 address usage, it seems that it is reaching a level of saturation now.

It is sure that everyone must migrate to IPv6 address within a couple of months/ years. Some Internet registries are not so liberal in assigning free IPv4 address now. If you want to learn about IPv6 and make sure that you have skills to administer IPv6 address and servers, Hurricane Electric free IPv6 certification is a really great way to begin. You can register for this certification at: he.net. I will give you a brief overview of the tests in the following section.

Through this test set you will be able to:

-> Prove that you have IPv6 connectivity
-> Prove that you have a working IPv6 web server
-> Prove that you have a working IPv6 email address
-> Prove that you have working forward IPv6 DNS
-> Prove that you have working reverse IPv6 DNS for your mail server
-> Prove that you have name servers can respond to queries via IPv6
-> Prove your knowledge of IPv6 technologies through quick and easy testing

There are seven levels of certification available. The breakdown of each are given below:

Newb: Read the primer stuff, be able to answer some quick and easy questions.

Explorer: Verify that you can access ipv6.he.net over IPv6

Enthusiast: Verify that you have an IPv6 capable web server that we can connect to and fetch information from. This should be entered as a FQDN and not an IPv6 address, or you will have issues once you start working on the Guru level.

Administrator: Verify that you have a working IPv6 capable MTA by sending you an email only over IPv6.

Professional: Verify that your MTA has working reverse DNS (ex: dig mx $domain +short ; dig AAAA $mx +short ; dig -x $mx AAAA +short)

Guru: Verify that the authoritative NS for your domain have AAAA records, and respond to queries for the domain (ex: step 1 is dig ns $domain ; dig AAAA $ns | step 2 is dig AAAAA $domain @$nsAAAA)

Sage: Check to see if your domain’s authoritative NS have IPv6 glue with their listed TLD servers. Meaning the TLD server can directly answer for the host record (ex: dig +trace ns $domain to get the TLD server list then dig aaaa $ns @TLD +short for the glue).

After each test you will get a new certificate:

IPv6 Commands

August 14, 2010 by Igor Drobot 1 Comment

Some IPv6 commands for daily use

Print the route packets trace to IPv6 network host.

1	traceroute6 ipv6.idrobot.net

Lookup AAAA record.

1	dig AAAA ipv6.idrobot.net

IPv6 DIG PTR reccord.

1	dig -x 2001:470:1f0b:1604::254

Check redirector.name glue records by dig command.
As it is a .name domain first we should check root servers for .net by the following command:

1	dig NS name

You will get 10 root servers:

;; ANSWER SECTION:
name.                   10800   IN      NS      m6.nstld.com.
name.                   10800   IN      NS      d6.nstld.com.
name.                   10800   IN      NS      k6.nstld.com.
name.                   10800   IN      NS      f6.nstld.com.
name.                   10800   IN      NS      h6.nstld.com.
name.                   10800   IN      NS      g6.nstld.com.
name.                   10800   IN      NS      a6.nstld.com.
name.                   10800   IN      NS      j6.nstld.com.
name.                   10800   IN      NS      l6.nstld.com.
name.                   10800   IN      NS      c6.nstld.com.

You can choose any root server for next query , I will take g6.nstld.com

1	dig ns1.redirector.name @g6.nstld.com

As output I get:

;; ADDITIONAL SECTION:
ns1.redirector.name.    10800   IN      A       188.40.116.206
ns1.redirector.name.    10800   IN      AAAA    2001:470:1f0b:1604::3
ns2.redirector.name.    10800   IN      A       188.40.116.216

IPv6 and ip6tables

July 24, 2010 by Igor Drobot 3 Comments

I describe a little bit how to secure your IPv6 server with Netfilter-ip6tables.

Refer to the IANA message types.

My example IPv6 firewall script:

Earlier predefined variables:

1 2	IPT6="/sbin/ip6tables" OUTER="eth0"

# Clean old IPv6 firewall
$IPT6 -F
$IPT6 -X
 
# Clean old iptables v6 tables
for chain in mangle filter
do
    $IPT6 -t $chain -F
    $IPT6 -t $chain -X
done
 
# Set IPv6 default chains
$IPT6 -P INPUT DROP 
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT ACCEPT
 
$IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$IPT6 -A INPUT -i lo -j ACCEPT
 
# Allow SSH from Hetzner IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow SSH from Home IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow ICMP from Hetzner IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
 
# Allow ICMP from Home IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
 
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT     # SMTP  
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT     # DNS via TCP
$IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT     # DNS via UDP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT     # HTTP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT    # POP3
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT    # IMAP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT
 
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 
$IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Example of logging
$IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

# Clean old IPv6 firewall $IPT6 -F $IPT6 -X # Clean old iptables v6 tables for chain in mangle filter do $IPT6 -t $chain -F $IPT6 -t $chain -X done # Set IPv6 default chains $IPT6 -P INPUT DROP $IPT6 -P FORWARD DROP $IPT6 -P OUTPUT ACCEPT $IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A INPUT -i lo -j ACCEPT # Allow SSH from Hetzner IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow SSH from Home IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow ICMP from Hetzner IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT # Allow ICMP from Home IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT # SMTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT # DNS via TCP $IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT # DNS via UDP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT # HTTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT # POP3 $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT # IMAP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Example of logging $IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "