Theadamsresidence.net is now IPv6 enabled

Posted by Mike on 2012.02.23

Recently theadamsresidence.net underwent maintenance for some pending updates. As part of the process IPv6 was enabled for the host in an IPv6 capable environment. As a result it is now possible to access the site using IPv6.

A few useful things:

Enabling IPv6 on the OS Level

Enabling IPv6 was easy to do with CentOS 5.

The following files were edited:

/etc/sysconfig/network:
* Added:

NETWORKING_IPV6=yes

/etc/sysconfig/ifcfg-eth0:
* Added:

IPV6INIT=yes
IPV6_AUTOCONF=yes

Ensuring Services Listen to IPv6

Since most services automatically bind to IPv6 ports as well as IPv4, or in some cases like Apache httpd bind only to IPv6, by default almost all services came back when restarted.

There were only three services that actually needed modification to also bind to IPv6: Dovecot, Sendmail and BIND.

Dovecot

/etc/dovecot.conf:
* Added:

listen=[::]

Sendmail

/etc/mail/sendmail.mc:
* Added:

DAEMON_OPTIONS(`Port=smtp,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl
DAEMON_OPTIONS(`Port=smtps,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl

BIND

/var/named/chroot/etc/named.conf:
* Changed:

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        listen-on-v6 port 53 { any; };

Useful Tools to Verify IPv6 Binding

There are two commands that I like to use that services have bound to an IPv6 socket:

  1. lsof
  2. [root@mail ~]# lsof -i :465
    COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME
    sendmail 20751 root    7u  IPv6 395812       TCP [2600:dead:beef::f03c:1234:feed:c011]:smtps (LISTEN)
    sendmail 20751 root    8u  IPv4 395813       TCP *:smtps (LISTEN)
    
  3. netstat
  4. For TCP based serivices:

    [root@mail ~]# netstat -tapn | grep mail
    tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      20751/sendmail: acc
    tcp        0      0 192.168.1.53:25           0.0.0.0:*                   LISTEN      20751/sendmail: acc
    tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      20751/sendmail: acc
    tcp        0      0 2600:dead:beef::f03c:1234:feed:465 :::*                        LISTEN      20751/sendmail: acc
    tcp        0      0 2600:dead:beef::f03c:1234:feed:25 :::*                        LISTEN      20751/sendmail: acc
    

    And for UDP based services:

    [root@mail ~]# netstat -uapn
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    udp        0      0 192.168.1.53:53           0.0.0.0:*                               2752/named
    udp        0      0 127.0.0.1:53                0.0.0.0:*                               2752/named
    

    And further down..

    udp        0      0 :::53                       :::*                                    25092/named
    udp        0      0 ::1:123                     :::*                                    3160/ntpd
    udp        0      0 fe80::f03c:1234:feed:c01:123 :::*                                    3160/ntpd
    udp        0      0 2600:dead:beef::f03c:1234:feed:123 :::*                                    3160/ntpd
    

Securing the System with Netfilter

To secure the system I used my IPv4 iptables settings. There were a couple interesting items there:

  1. There is no NAT filter table.
    In fact this causes an error when using the ip6tables service as it tries to unload the nat ip6table module, which doesn’t exist.
  2. I had to provide an exception for the ICMPv6 protocol.
    The autoconf works beautifully and uses ICMPv6 messages for the router solicitation.

Other then that everything seems to be working like a charm. I haven’t had a chance to test it yet, but I think I might have to get another SSL cert.

Beyond that, enjoy the new IPv6 site!

- Mike

Leave a Reply

Your email address will not be published. Required fields are marked *

*


− three = 3

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Speaking at UTOSC 2012 Member of The Internet Defense League