Difference between revisions of "Network (Wheezy)"

From Hexwiki
Jump to navigation Jump to search
(Created page with "This is pretty universal to any system that has iproute2 installed. == A note on IPv6 allocation == You might occasionally run into a host who does not want to assign you y...")
 
Line 78: Line 78:
 
         up /bin/ip -6 route add local 2001:db8:4:7::/64 dev eth0
 
         up /bin/ip -6 route add local 2001:db8:4:7::/64 dev eth0
 
         down /bin/ip -6 route del local 2001:db8:4:7::/64 dev eth0
 
         down /bin/ip -6 route del local 2001:db8:4:7::/64 dev eth0
 
  
 
  # IPv4 configuration. The following assumes a standard /29, which you may not get these days.
 
  # IPv4 configuration. The following assumes a standard /29, which you may not get these days.
Line 108: Line 107:
 
         post-up /bin/ip route add 192.0.2.9/32 via 192.0.2.2 dev eth0
 
         post-up /bin/ip route add 192.0.2.9/32 via 192.0.2.2 dev eth0
 
         pre-down /bin/ip route del 192.0.2.9/32 via 192.0.2.2 dev eth0
 
         pre-down /bin/ip route del 192.0.2.9/32 via 192.0.2.2 dev eth0
 
  
 
  # Secondary interface, this links my slave machine with its master.
 
  # Secondary interface, this links my slave machine with its master.

Revision as of 15:52, 9 May 2014

This is pretty universal to any system that has iproute2 installed.

A note on IPv6 allocation

You might occasionally run into a host who does not want to assign you your own /64. While for one reason or another they may want to only route a /120 or /112 to you, they should assign the entire /64. A /56 is preferable.

Simply put, there is no way the rest of the world is going to do reputation management on anything smaller than a /64. It simply is not possible to do - the world does not have the memory or disk space, and never will. /64 is the assumption, and it makes the programming side of this sort of thing significantly easier.

As a host, assigning a /56 to each customer at a given site may seem excessive, but the benefits are immense. A given customer is going to be much less able to damage the reputation of other customers, and if you read my Ipv6 IPTables script, you'll see that I treat everyone on a /56 as "possibly the same person". This is because it is 1) Quite possibly true and 2) even if it isn't, I cannot afford to assume otherwise. Neither can most of the Internet.

As an end-user, you will probably have some questions as to what to do even with a /64. There is a great deal of advice on the net regarding this, here is what I am doing:

I make sure that every assignment within a /64 is unique - that is, if I merge every single site and every single machine into one, the only parts of any IP that will ever need to change is the /64 prefix.

To facilitate this, everything within the same group has the same prefix within the /64. My mailing infrastructure has the 3:: prefix, my largest website (with a few supporting sites) has 4::, and I've given 62:: for a catch-all.

So all of my mailservers and mxes look like

  • 2001:db8:4032:1111:3::3
  • 2001:db8:9315:1111:3::4
  • 2001:db8:3a20:1111:3::5

And while my largest website doesn't support IPv6 itself, the mumble chat does, and the info site I'm building does, so they look like

  • 2001:db8:4032:1111:4::4
  • 2001:db8:9315:1111:4::7

I currently reserve f... prefixes for stuff that is independent of this scheme, such as outbound dns ports for Unbound.

  • 2001:db8:9315:1111:f0c0::2
  • 2001:db8:9315:1111:f0c0::3
  • 2001:db8:9315:1111:f0c0::4
  • 2001:db8:9315:1111:f0c0::5

Anyone who has the slightest hope of ever getting this scheme to conflict is going to be able to get /48s or /32s to expand the subnet range they are using instead.

Obviously, this is just a suggestion. It is what I do and I currently like it.

/etc/network/interfaces

# Friendly local loopback.
auto lo
iface lo inet loopback
# The primary network interface
# While most hosts are mindful to plug in eth0, I've had one who likes to plug in eth1 instead.
# Also, if you end up with e.g a motherboard replacement, Linux will treat the new interfaces as completely new devices.
# I'm currently up to eth3.
allow-hotplug eth0
# IPv6!
iface eth0 inet6 static
        address 2001:db8:4a:2::2
        netmask 126
        gateway 2001:db8:4a:2::1
        dns-nameservers ::1 8.8.4.4 8.8.8.8
        # IP6Tables firewall script.
        pre-up /root/firewall6.sh
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:62::2/64
        down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:62::2/64
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:3::3/64
        down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:3::3/64
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:4::4/64
        down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:4::4/64
        # f030:: -> For unbound
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64
        down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64
        down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64
        down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64
        up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64
        down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64
        # As with IPv4, below, you may get routed a subnet.
        up /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64
        down /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64
        # Routing the entire thing is going to turn on AnyIP for the entire
        # range. This might not be wise - while convenient, it may expose
        # you to attacks. You may want to route ips individually or in small
        # groups as you need them, instead.
        up /bin/ip -6 route add local 2001:db8:4:7::/64 dev eth0
        down /bin/ip -6 route del local 2001:db8:4:7::/64 dev eth0
# IPv4 configuration. The following assumes a standard /29, which you may not get these days.
iface eth0 inet static
        address 192.0.2.2
        netmask 255.255.255.248
        network 192.0.2.0
        broadcast 192.0.2.7
        gateway 192.0.2.1
        # Since I don't have resolveconf installed, this is kind of pointless,
        # but I like to be thorough.
        dns-nameservers ::1 8.8.8.8 8.8.4.4
        dns-search invalid
        # This is my IPTables firewall script. 
        pre-up /root/firewall.sh
        up /bin/ip addr add 192.0.2.3/29 dev eth0 label eth0:0
        down /bin/ip addr del 192.0.2.3/29 dev eth0 label eth0:0
        up /bin/ip addr add 192.0.2.4/29 dev eth0 label eth0:1
        down /bin/ip addr del 192.0.2.4/29 dev eth0 label eth0:1
        up /bin/ip addr add 192.0.2.5/29 dev eth0 label eth0:2
        down /bin/ip addr del 192.0.2.5/29 dev eth0 label eth0:2
        up /bin/ip addr add 192.0.2.6/29 dev eth0 label eth0:3
        down /bin/ip addr del 192.0.2.6/29 dev eth0 label eth0:3
        # Sometimes you'll get a host who instead routes you your additional IPs through your main IP.
        # If you have a server with a lot, you don't want to be waiting for routing to come on-line, 
        # so do post-up for the routing bits.
        up /bin/ip addr add dev eth3 192.0.2.9/32 label eth0:4
        down /bin/ip addr del dev eth3 192.0.2.9/32 label eth0:4
        post-up /bin/ip route add 192.0.2.9/32 via 192.0.2.2 dev eth0
        pre-down /bin/ip route del 192.0.2.9/32 via 192.0.2.2 dev eth0
# Secondary interface, this links my slave machine with its master.
# Tempted to switch off IPv4 support over it, but don't have the heart quite yet.
allow-hotplug eth1
iface eth1 inet static
        address 192.168.0.2
        netmask 255.255.0.0
iface eth1 inet6 static
        address fc00::2
        netmask 8