Difference between revisions of "Network (Wheezy)"
Line 118: | Line 118: | ||
address fc00::2 | address fc00::2 | ||
netmask 8 | netmask 8 | ||
+ | |||
+ | {{Bottom Wheezy}} |
Latest revision as of 01:04, 10 May 2014
This is pretty universal to any system that has iproute2 installed.
A note on IPv6 allocation
You might occasionally run into a host who does not want to assign you your own /64. While for one reason or another they may want to only route a /120 or /112 to you, they should assign the entire /64. A /56 is preferable.
Simply put, there is no way the rest of the world is going to do reputation management on anything smaller than a /64. It simply is not possible to do - the world does not have the memory or disk space, and never will. /64 is the assumption, and it makes the programming side of this sort of thing significantly easier.
As a host, assigning a /56 to each customer at a given site may seem excessive, but the benefits are immense. A given customer is going to be much less able to damage the reputation of other customers, and if you read my Ipv6 IPTables script, you'll see that I treat everyone on a /56 as "possibly the same person". This is because it is 1) Quite possibly true and 2) even if it isn't, I cannot afford to assume otherwise. Neither can most of the Internet.
As an end-user, you will probably have some questions as to what to do even with a /64. There is a great deal of advice on the net regarding this, here is what I am doing:
I make sure that every assignment within a /64 is unique - that is, if I merge every single site and every single machine into one, the only parts of any IP that will ever need to change is the /64 prefix.
To facilitate this, everything within the same group has the same prefix within the /64. My mailing infrastructure has the 3:: prefix, my largest website (with a few supporting sites) has 4::, and I've given 62:: for a catch-all.
So all of my mailservers and mxes look like
- 2001:db8:4032:1111:3::3
- 2001:db8:9315:1111:3::4
- 2001:db8:3a20:1111:3::5
And while my largest website doesn't support IPv6 itself, the mumble chat does, and the info site I'm building does, so they look like
- 2001:db8:4032:1111:4::4
- 2001:db8:9315:1111:4::7
I currently reserve f... prefixes for stuff that is independent of this scheme, such as outbound dns ports for Unbound.
- 2001:db8:9315:1111:f0c0::2
- 2001:db8:9315:1111:f0c0::3
- 2001:db8:9315:1111:f0c0::4
- 2001:db8:9315:1111:f0c0::5
Anyone who has the slightest hope of ever getting this scheme to conflict is going to be able to get /48s or /32s to expand the subnet range they are using instead.
Obviously, this is just a suggestion. It is what I do and I currently like it.
/etc/network/interfaces
# Friendly local loopback. auto lo iface lo inet loopback
# The primary network interface # While most hosts are mindful to plug in eth0, I've had one who likes to plug in eth1 instead. # Also, if you end up with e.g a motherboard replacement, Linux will treat the new interfaces as completely new devices. # I'm currently up to eth3. allow-hotplug eth0
# IPv6! iface eth0 inet6 static address 2001:db8:4a:2::2 netmask 126 gateway 2001:db8:4a:2::1 dns-nameservers ::1 8.8.4.4 8.8.8.8 # IP6Tables firewall script. pre-up /root/firewall6.sh up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:62::2/64 down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:62::2/64 up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:3::3/64 down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:3::3/64 up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:4::4/64 down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:4::4/64 # f030:: -> For unbound up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64 down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64 up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64 down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64 up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64 down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64 up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64 down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64 # As with IPv4, below, you may get routed a subnet. up /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64 down /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64 # Routing the entire thing is going to turn on AnyIP for the entire # range. This might not be wise - while convenient, it may expose # you to attacks. You may want to route ips individually or in small # groups as you need them, instead. up /bin/ip -6 route add local 2001:db8:4:7::/64 dev eth0 down /bin/ip -6 route del local 2001:db8:4:7::/64 dev eth0
# IPv4 configuration. The following assumes a standard /29, which you may not get these days. iface eth0 inet static address 192.0.2.2 netmask 255.255.255.248 network 192.0.2.0 broadcast 192.0.2.7 gateway 192.0.2.1 # Since I don't have resolveconf installed, this is kind of pointless, # but I like to be thorough. dns-nameservers ::1 8.8.8.8 8.8.4.4 dns-search invalid # This is my IPTables firewall script. pre-up /root/firewall.sh up /bin/ip addr add 192.0.2.3/29 dev eth0 label eth0:0 down /bin/ip addr del 192.0.2.3/29 dev eth0 label eth0:0 up /bin/ip addr add 192.0.2.4/29 dev eth0 label eth0:1 down /bin/ip addr del 192.0.2.4/29 dev eth0 label eth0:1 up /bin/ip addr add 192.0.2.5/29 dev eth0 label eth0:2 down /bin/ip addr del 192.0.2.5/29 dev eth0 label eth0:2 up /bin/ip addr add 192.0.2.6/29 dev eth0 label eth0:3 down /bin/ip addr del 192.0.2.6/29 dev eth0 label eth0:3 # Sometimes you'll get a host who instead routes you your additional IPs through your main IP. # If you have a server with a lot, you don't want to be waiting for routing to come on-line, # so do post-up for the routing bits. up /bin/ip addr add dev eth3 192.0.2.9/32 label eth0:4 down /bin/ip addr del dev eth3 192.0.2.9/32 label eth0:4 post-up /bin/ip route add 192.0.2.9/32 via 192.0.2.2 dev eth0 pre-down /bin/ip route del 192.0.2.9/32 via 192.0.2.2 dev eth0
# Secondary interface, this links my slave machine with its master. # Tempted to switch off IPv4 support over it, but don't have the heart quite yet. allow-hotplug eth1 iface eth1 inet static address 192.168.0.2 netmask 255.255.0.0
iface eth1 inet6 static address fc00::2 netmask 8