Theadamsresidence.net is now IPv6 enabled

Recently theadamsresidence.net underwent maintenance for some pending updates. As part of the process IPv6 was enabled for the host in an IPv6 capable environment. As a result it is now possible to access the site using IPv6.

A few useful things:

Enabling IPv6 on the OS Level

Enabling IPv6 was easy to do with CentOS 5.

The following files were edited:

/etc/sysconfig/network:
* Added:

NETWORKING_IPV6=yes

/etc/sysconfig/ifcfg-eth0:
* Added:

IPV6INIT=yes
IPV6_AUTOCONF=yes

Ensuring Services Listen to IPv6

Since most services automatically bind to IPv6 ports as well as IPv4, or in some cases like Apache httpd bind only to IPv6, by default almost all services came back when restarted.

There were only three services that actually needed modification to also bind to IPv6: Dovecot, Sendmail and BIND.

Dovecot

/etc/dovecot.conf:
* Added:

listen=[::]

Sendmail

/etc/mail/sendmail.mc:
* Added:

DAEMON_OPTIONS(`Port=smtp,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl
DAEMON_OPTIONS(`Port=smtps,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl

BIND

/var/named/chroot/etc/named.conf:
* Changed:

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        listen-on-v6 port 53 { any; };

Useful Tools to Verify IPv6 Binding

There are two commands that I like to use that services have bound to an IPv6 socket:

1. lsof

[root@mail ~]# lsof -i :465
COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME
sendmail 20751 root    7u  IPv6 395812       TCP [2600:dead:beef::f03c:1234:feed:c011]:smtps (LISTEN)
sendmail 20751 root    8u  IPv4 395813       TCP *:smtps (LISTEN)

2. netstat

For TCP based serivices:

[root@mail ~]# netstat -tapn | grep mail
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 192.168.1.53:25           0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 2600:dead:beef::f03c:1234:feed:465 :::*                        LISTEN      20751/sendmail: acc
tcp        0      0 2600:dead:beef::f03c:1234:feed:25 :::*                        LISTEN      20751/sendmail: acc

And for UDP based services:

[root@mail ~]# netstat -uapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
udp        0      0 192.168.1.53:53           0.0.0.0:*                               2752/named
udp        0      0 127.0.0.1:53                0.0.0.0:*                               2752/named

And further down..

udp        0      0 :::53                       :::*                                    25092/named
udp        0      0 ::1:123                     :::*                                    3160/ntpd
udp        0      0 fe80::f03c:1234:feed:c01:123 :::*                                    3160/ntpd
udp        0      0 2600:dead:beef::f03c:1234:feed:123 :::*                                    3160/ntpd

Securing the System with Netfilter

To secure the system I used my IPv4 iptables settings. There were a couple interesting items there:

1. There is no NAT filter table.
   In fact this causes an error when using the ip6tables service as it tries to unload the nat ip6table module, which doesn’t exist.
2. I had to provide an exception for the ICMPv6 protocol.
   The autoconf works beautifully and uses ICMPv6 messages for the router solicitation.

Other then that everything seems to be working like a charm. I haven’t had a chance to test it yet, but I think I might have to get another SSL cert.

Beyond that, enjoy the new IPv6 site!

- Mike