Network (Wheezy)
This is pretty universal to any system that has iproute2 installed.
A note on IPv6 allocation
You might occasionally run into a host who does not want to assign you your own /64. While for one reason or another they may want to only route a /120 or /112 to you, they should assign the entire /64. A /56 is preferable.
Simply put, there is no way the rest of the world is going to do reputation management on anything smaller than a /64. It simply is not possible to do - the world does not have the memory or disk space, and never will. /64 is the assumption, and it makes the programming side of this sort of thing significantly easier.
As a host, assigning a /56 to each customer at a given site may seem excessive, but the benefits are immense. A given customer is going to be much less able to damage the reputation of other customers, and if you read my Ipv6 IPTables script, you'll see that I treat everyone on a /56 as "possibly the same person". This is because it is 1) Quite possibly true and 2) even if it isn't, I cannot afford to assume otherwise. Neither can most of the Internet.
As an end-user, you will probably have some questions as to what to do even with a /64. There is a great deal of advice on the net regarding this, here is what I am doing:
I make sure that every assignment within a /64 is unique - that is, if I merge every single site and every single machine into one, the only parts of any IP that will ever need to change is the /64 prefix.
To facilitate this, everything within the same group has the same prefix within the /64. My mailing infrastructure has the 3:: prefix, my largest website (with a few supporting sites) has 4::, and I've given 62:: for a catch-all.
So all of my mailservers and mxes look like
- 2001:db8:4032:1111:3::3
- 2001:db8:9315:1111:3::4
- 2001:db8:3a20:1111:3::5
And while my largest website doesn't support IPv6 itself, the mumble chat does, and the info site I'm building does, so they look like
- 2001:db8:4032:1111:4::4
- 2001:db8:9315:1111:4::7
I currently reserve f... prefixes for stuff that is independent of this scheme, such as outbound dns ports for Unbound.
- 2001:db8:9315:1111:f0c0::2
- 2001:db8:9315:1111:f0c0::3
- 2001:db8:9315:1111:f0c0::4
- 2001:db8:9315:1111:f0c0::5
Anyone who has the slightest hope of ever getting this scheme to conflict is going to be able to get /48s or /32s to expand the subnet range they are using instead.
Obviously, this is just a suggestion. It is what I do and I currently like it.
/etc/network/interfaces
# Friendly local loopback. auto lo iface lo inet loopback
# The primary network interface # While most hosts are mindful to plug in eth0, I've had one who likes to plug in eth1 instead. # Also, if you end up with e.g a motherboard replacement, Linux will treat the new interfaces as completely new devices. # I'm currently up to eth3. allow-hotplug eth0
# IPv6!
iface eth0 inet6 static
address 2001:db8:4a:2::2
netmask 126
gateway 2001:db8:4a:2::1
dns-nameservers ::1 8.8.4.4 8.8.8.8
# IP6Tables firewall script.
pre-up /root/firewall6.sh
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:62::2/64
down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:62::2/64
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:3::3/64
down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:3::3/64
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:4::4/64
down /bin/ip -6 addr del dev eth0 2001:db8:4a:2:4::4/64
# f030:: -> For unbound
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64
down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::1/64
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64
down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::2/64
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64
down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::3/64
up /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64
down /bin/ip -6 addr add dev eth0 2001:db8:4a:2:f130::4/64
# As with IPv4, below, you may get routed a subnet.
up /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64
down /bin/ip -6 addr add dev eth3 2001:db8:4:7:f030::4/64
# Routing the entire thing is going to turn on AnyIP for the entire
# range. This might not be wise - while convenient, it may expose
# you to attacks. You may want to route ips individually or in small
# groups as you need them, instead.
up /bin/ip -6 route add local 2001:db8:4:7::/64 dev eth0
down /bin/ip -6 route del local 2001:db8:4:7::/64 dev eth0
# IPv4 configuration. The following assumes a standard /29, which you may not get these days.
iface eth0 inet static
address 192.0.2.2
netmask 255.255.255.248
network 192.0.2.0
broadcast 192.0.2.7
gateway 192.0.2.1
# Since I don't have resolveconf installed, this is kind of pointless,
# but I like to be thorough.
dns-nameservers ::1 8.8.8.8 8.8.4.4
dns-search invalid
# This is my IPTables firewall script.
pre-up /root/firewall.sh
up /bin/ip addr add 192.0.2.3/29 dev eth0 label eth0:0
down /bin/ip addr del 192.0.2.3/29 dev eth0 label eth0:0
up /bin/ip addr add 192.0.2.4/29 dev eth0 label eth0:1
down /bin/ip addr del 192.0.2.4/29 dev eth0 label eth0:1
up /bin/ip addr add 192.0.2.5/29 dev eth0 label eth0:2
down /bin/ip addr del 192.0.2.5/29 dev eth0 label eth0:2
up /bin/ip addr add 192.0.2.6/29 dev eth0 label eth0:3
down /bin/ip addr del 192.0.2.6/29 dev eth0 label eth0:3
# Sometimes you'll get a host who instead routes you your additional IPs through your main IP.
# If you have a server with a lot, you don't want to be waiting for routing to come on-line,
# so do post-up for the routing bits.
up /bin/ip addr add dev eth3 192.0.2.9/32 label eth0:4
down /bin/ip addr del dev eth3 192.0.2.9/32 label eth0:4
post-up /bin/ip route add 192.0.2.9/32 via 192.0.2.2 dev eth0
pre-down /bin/ip route del 192.0.2.9/32 via 192.0.2.2 dev eth0
# Secondary interface, this links my slave machine with its master.
# Tempted to switch off IPv4 support over it, but don't have the heart quite yet.
allow-hotplug eth1
iface eth1 inet static
address 192.168.0.2
netmask 255.255.0.0
iface eth1 inet6 static
address fc00::2
netmask 8