Tuesday, September 06, 2011
Configuring IPv6 BGP Tunnel with Hurricane Electric (tunnelbroker.net)
Prerequisites: * Cisco IOS with IPv6 support * Internet Routable IPv4 address * AS number exclusively assigned to you by your RIR Throughout the guide, following assumptions are made: * Public IP of your Cisco Router is: 9.33.21.35 * Your ASN is: 31337 * Your RIR delegated IPv6 Prefix is: 1337:C0DE::/32 * 1337:C0DE:0A:49::74 an example IPv6 we'll assign to our router 1) Go to http://tunnelbroker.net 2) Register/Login 3) Create BGP Tunnel -> IPV4 Endpoint (Your Side) Enter Public IP Address, example: 9.33.21.35 Prefixes announced: 1337:C0DE::/32 Selection a tunnel endpoint that's closest to you (eg: Fremont, CA, US 64.71.128.83) Click on Create BGP Tunnel On the Main Page, under the tunnel you just created you get following information: IPv6 Tunnel Endpoints Server IPv4 Address: 64.71.128.83 Server IPv6 Address: 2001:1337:28:bad::1/64 Client IPv4 Address: 9.33.21.22 Client IPV6 Address: 2001:1337:28:bad::2/64 BGP Details Prefixes: 1337:C0DE::/32 Your ASN: 31337 Our ASN: 6262 Peer Address: 2001:1337:28:bad::1/64 This is sufficient information to create an IPv6 BGP Tunnel. Hurricane Electric/Tunnel Broker requires Letter of Authorization that you are the sole owner of your AS and the IPv6 Prefix. You will receive instructions through email to submit this authorization letter through email. 4) It's now time to configure the Cisco IOS. Login in to your Cisco IOS and enter the router configuration mode: First thing is to make sure IPv6 support is enabled on your router. To check, enter the command to enable ipv6 on the router router(config)# ipv6 unicast-routing If it gives an error such as: % Invalid input detected at '^' marker. then you may need to upgrade the firmware on the router or find another one that supports Ipv6 We configure the rest of the router according to the information above: interface Tunnel0 description Hurricane Electric IPV6 Tunnel Broker no ip address ipv6 address 2001:1337:28:bad::2/64 ipv6 enable tunnel source 9.33.21.22 tunnel destination 64.71.128.83 tunnel mode ipv6ip ! router bgp 31337 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2001:1337:28:bad::1 remote-as 6262 neighbor 2001:1337:28:bad::1 update-source Tunnel0 ! address-family ipv6 neighbor 2001:1337:28:bad::1 activate neighbor 2001:1337:28:bad::1 remove-private-as neighbor 2001:1337:28:bad::1 route-map he-ipv6-in in neighbor 2001:1337:28:bad::1 route-map he-ipv6-out out network 1337:C0DE::/32 aggregate-address 1337:C0DE::/32 summary-only redistribute connected metric 1 no synchronization exit-address-family ! ipv6 route ::/0 Tunnel0 ! ipv6 prefix-list ipv6-general-prefix seq 5 deny ::/0 ipv6 prefix-list ipv6-general-prefix seq 10 permit ::/0 le 64 ! ipv6 prefix-list myprivate-prefix seq 5 permit 1337:C0DE::/32 le 64 ! route-map he-ipv6-out permit 10 match ipv6 address prefix-list myprivate-prefix set as-path prepend 31337 31337 31337 ! route-map he-ipv6-in permit 10 match ipv6 address prefix-list ipv6-general-prefix set as-path prepend 6262 6262 6262 ! This should look familiar if you have configured BGP before.
Notice the line "address-family ipv6" is configured from within the "router bgp" prompt.
This basically enables BGP for IPv6 addresses only.
The other lines are responsible for:
1) Setting up the default ipv6 route through the tunnel interface
2) Publishing aggregate routes with our delegated prefix-only to remote peer. The final step is to enable the IPv6 on the external router interface. ! interface GigabitEthernet0/0 ip address 9.33.21.35 255.255.255.0 ipv6 address 1337:C0DE:0A:49::74/64 ipv6 enable ipv6 nd ra suppress ! Notice, I've added the "ip address" line to show the interface with preconfigured IPv4 address we are using as tunnel endpoint. To verify the tunnel is working and the routes are established, use commands below: router# sh bgp ipv6 router# sh ipv6 routes If these commands produce a long list of IPv6 routes then you have successfully configured your Cisco IOS with BGP and IPv6. If you don't see the IPv6 routes, check the configuration for any errors and verify tunnelbroker.net has received your letter of authorization (shows up as "LoA on file" on the website's tunnel details page).
Wednesday, June 08, 2011
Setting up IPv6 Tunnel with Hurricane Electric (Tunnelbroker.net)
Since today's World IPv6 Day, i've taken the opportunity to create a brief how-to on setting up an IPv6 Tunnel with Hurricane Electric's Tunnelbroker service.
1) Go to http://tunnelbroker.net 2) Register/Login 3) Create Regular Tunnel -> IPV4 Endpoint (Your Side) Enter Public IP Address, example: 9.33.21.35 Selection a tunnel endpoint that's closest to you example: Los Angeles, CA, US If you have a firewall allow ICMP packets from source IP: 66.220.2.74 with, # iptables -A INPUT -p icmp -s 66.220.2.74 -j ACCEPT On the Main Page, under the tunnel you just created you get following information: Server IPv4 Address: 74.82.46.6 Server IPv6 Address: 2001:1337:24:3ac::1/64 Client IPv4 Address: 9.33.21.35 Client IPV6 Address: 2001:1337:24:3ac::2/64 Routed /64: 2001:db8:12:413::/64 Configure your firewall to allow traffic from 74.82.46.6 endpoint. # iptables -A INPUT -p ip -s 74.82.46.6 -j ACCEPT This is sufficient information to create an IPv6 Tunnel. Setting up IPv6 Tunnel on Debian/Ubuntu: ---------------------------------------- This below is a Debian/Ubuntu specific guide. It may or maynot work on other Linux flavors. 1) Edit /etc/network/interfaces file (# vim /etc/network/interfaces) ## Add these lines below to setup a tunnel to your endpoint from information gathered above auto mytunnel0 iface mytunnel0 inet6 v4tunnel address 2001:1337:24:3ac::2 netmask 64 endpoint 74.82.46.6 up ip -6 route add default dev mytunnel0 down ip -6 route del default dev mytunnel0 # This is network configuration for your default network interfaces. Leave it the way it is. auto eth0 iface eth0 inet dhcp # Add these lines to assign a static ipv6 address to your network interface from your very own routed /64 subnet. iface eth0 inet6 static address 2001:db8:12:413::1 netmask 64 ############EOF################ That's it. if you want to load it without rebooting the server: # ifup mytunnel0 # ifdown eth0 && ifup eth0 or, reboot # reboot Setting up IPv6 Tunnel on FreeBSD/PC-BSD ----------------------------------------- Using /etc/rc.conf: ============ ## Edit /etc/rc.conf and add these lines according to the tunnel information above: ipv6_enable="YES" ipv6_gateway_enable="YES" ipv6_network_interfaces="lo0 gif0" ipv6_ipv4mapping="YES" gif_interfaces="gif0" gifconfig_gif0="9.33.21.35 74.82.46.6" ipv6_ifconfig_gif0="2001:1337:24:3ac::2 2001:1337:24:3ac::1 prefixlen 128" ipv6_defaultrouter="2001:1337:24:3ac::1" # Assuming your default network interface is re0, add this line to assign an address from /64 subnet allocated to you. ifconfig_fxp0_alias0="inet6 2001:db8:12:413::1 prefixlen 64" Using script: ============ #!/usr/local/bin/bash # Script: /root/ipv6_tunnel.sh ifconfig gif0 create ifconfig gif0 tunnel 9.33.21.35 74.82.46.6 ifconfig gif0 inet6 2001:1337:24:3ac::2 2001:1337:24:3ac::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:1cf4::1 ifconfig gif0 up ifconfig re0 inet6 2001:db8:12:413::1 prefixlen 64 alias If you are planning to bind your services/applications on both IPv4 and IPv6 sockets, it's necessary to tune in some sysctl values. On GNU/Linux: ------------- # sysctl -w net.ipv6.bindv6only=0 # echo net.ipv6.bindv6only=0 >> /etc/sysctl.conf On FreeBSD/PC-BSD: ------------------ # sysctl -w net.inet6.ip6.v6only=0 # echo net.inet6.ip6.v6only=0 >> /etc/sysctl.conf Testing IPv6 Connectivity: -------------------------- $ ping6 ipv6.google.com
Friday, June 03, 2011
Routers: From a Psychological Standpoint
If I was little and somebody asked what I wanted to be when I grew up, I'd say a Router, not a cheap "Made in China" Huawei Router, but a decent Cisco made Router because routers are amazing creation of humankind and research. They always know best, even if they don't they give their best shot by utilizing routing protocols such as RIP, IGRP, OSPF, BGP, EIGRP. Giving up is merely word in a router's dictionary. They perform undaunted task of finding best possible route for packets that are lost and confused. As long as a datagram lives in the same subnet, router will show them the way for they do not know their destiny. Combined with access-lists they block evil in a blink of an eye. They know best not to forward broadcast packets. In a society full of crime and war, routers prevent collision by splitting collision domains. To a wanderer, router is a gateway of light and hope. Distributed Denial of Service (DDoS) is router's greatest enemy. Nevertheless, a router fights back against such repulsive behaviors with courage and dignity in the form of null routing. Routers and switches go hand in hand in forming a stable network and uninterrupted services. Router is a great teamplayer with other network devices like repeaters, bridges and hubs.
To sum up, routers make information sharing easy and painless as possible and guide otherwise chaotic networks to best possible optimized direction. It is routers that have brought millions of lives together and it is only fair that we continue studying and implementing them to create a bigger, better global network we are so fond of.
Sunday, March 28, 2010
SKS OpenPGP Keyserver Installation and GnuPG Operations
This is a two part guide. First part describe installating keyserver. This is optional as there are plethora of public keyservers out there. It can be useful however to run your own keyserver in an organization or a compnay. The Second part of this guides describes some of the basic gpg operatins such as generating keys and using keyserver to send, search and import them. ++Part 1: sks keyserver installation (Optional)++ ================================================== Install sks from repository # apt-get -y install sks Build and Initialize DB # sks build Modify /etc/sks/sksconf ==File: /etc/sks/sksconf== --------------------------- # Replace IP with binding IP hostname: example.org hkp_address: 192.168.0.100 hkp_port: 11371 Default installation lacks html pages. Download it from rainydayz.org Rainydayz.org or my modified version of the same to /var/lib/sks/www/ , assign appropriate permissions and change the post url. # mkdir /var/lib/sks/www # cd /var/lib/sks/www # wget Rainydayz.org # tar xjvf sks_www.tar.bz2 Modify index.html and replace all instances of "your.site.name" with your site name or IP address. # chown debian-sks:debian-sks * Launch sks in the background # sks db & ++Adding Recon++ With recon, it is possible to distribute keys among keyservers. To enable recon, modify /etc/sks/sksconf and uncomment recon options. ==File: /etc/sks/sksconf== ---------------------------- # Replace IP with binding IP recon_address: 192.168.0.100 recon_port: 11370 ==File: /etc/sks/membership== ----------------------------------------- # Add remote sks recon IP with recon port 172.16.0.20 11370 Ask sks admin of 172.16.0.20 to add your recon IP and port above (192.168.0.100) in remote membership file Start Recon with, # sks recon & +References+ [1] http://code.google.com/p/sks-keyserver/wiki/Documentation [2] http://www.rainydayz.org/node/10 [3] http://www.keysigning.org/sks/ [4] blog.reindel.com ++Part 2: GnuPG Operations++ ============================= ++Key Generation++ Generate your key if you don't have one already $ gpg --gen-key Your selection? 1 What keysize do you want? (2048) [Press Enter] Key is valid for? (0) [Press Enter] Is this correct? (y/N) y Real name: John Doe Email address: john.doe@example.org Comment: [Press Enter] Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O Enter passphrase: SomethingSecret Repeat passphrase: SomethingSecret If you get stuck at this message, " Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 284 more bytes)" open another terminal as superuser, # apt-get install rng-tools # rangd -r /dev/urandom and the key generation will be completed. ++Sending Keys to Keyserver++ To send your Key to the keyserver, list out your keys first $ gpg --list-keys and look for the ID which is the value after 1024/ which looks like 5E21B437 You can also use regular expression to grab key ID with: $ gpg --list-keys | grep 1024D | sed 's/.*1024D\/\(.*\)\ .*$/\1/' or with awk, $ gpg --list-keys | grep 1024D | awk -F/ '{print $2}' | awk '{print $1}' We will choose above installed sks as our keyserver and send our key using key ID $ gpg --keyserver hkp://192.168.0.100 --send-keys 5E21B437 ++Searching and Importing Key from Keyserver++ To search key with key ID or name, $ gpg --keyserver hkp://192.168.0.100 --search-keys name or, $ gpg --keyserver hkp://192.168.0.100 --search-keys keyid If search matches, output will look like this: (1) John Doe <johndoe@example.org> 1024 bit DSA key 5E21B437, created: 1990-01-01 Keys 1-1 of 1 for "john". Enter number(s), N)ext, or Q)uit > Q Keys can be received with search and selecting the number or using: $ gpg --keyserver hkp://keyserver --recv-keys Key_ID Trusted keys can be signed with, $ gpg --sign-key Key_ID For more information on GNU Privacy Guard visit http://www.gnupg.org/gph/en/manual.html
Friday, March 19, 2010
glusterfs installation (storage brick replication)
In this guide we will use gluster2 to replicate stroage bricks between two nodes both of which will act as both server and client. #File: /etc/hosts 192.168.0.100 node1.example.org node2 192.168.0.101 node2.example.org node2 # aptitude install sshfs build-essential flex bison byacc libdb libdb-dev # cd /usr/src # wget http://ftp.zresearch.com/pub/gluster/glusterfs/3.0/3.0.0/glusterfs-3.0.0.tar.gz # tar xzvf glusterfs-3.0.0.tar.gz # cd glusterfs-3.0.0 # ./configure --prefix=/usr > /dev/null # make && make install # ldconfig # mkdir /data # mkdir /data/export # mkdir /data/export-ns # mkdir /etc/glusterfs # mkdir /srv #File: /etc/glusterfs/glusterfsd.vol volume posix type storage/posix option directory /data/export end-volume volume locks type features/locks subvolumes posix end-volume volume brick type performance/io-threads option thread-count 8 subvolumes locks end-volume volume server type protocol/server option transport-type tcp option auth.addr.brick.allow 192.168.0.* subvolumes brick end-volume # update-rc.d glusterfsd defaults # /etc/init.d/glusterfsd start # cd /usr/src/ # wget ftp://ftp.zresearch.com/pub/gluster/glusterfs/fuse/fuse-2.7.4glfs11.tar.gz # tar xzvf fuse-2.7.4glfs11.tar.gz # cd fuse-2.7.4glfs11 # ./configure # make && make install #File: /etc/glusterfs/glusterfs.vol volume remote1 type protocol/client option transport-type tcp option remote-host node1 option remote-subvolume brick end-volume volume remote2 type protocol/client option transport-type tcp option remote-host node2 option remote-subvolume brick end-volume volume replicate type cluster/replicate subvolumes remote1 remote2 end-volume volume writebehind type performance/write-behind option window-size 1MB subvolumes replicate end-volume volume cache type performance/io-cache option cache-size 512MB subvolumes writebehind end-volume # glusterfs -f /etc/glusterfs/glusterfs.vol /srv #File: /etc/fstab /etc/glusterfs/glsuterfs.vol /srv glusterfs defaults 0 0 NOTE: This guide was largely adopted from HowtoForge GlusterFS on Debian
Saturday, January 23, 2010
Practical Subnetting made easy
First off, remember the series of numbers and their order: 128, 192, 224, 240, 248, 252, 254, 255 Also remember, /24 = Class C (255.255.255.0) /16 = Class B (255.255.0.0) /8 = Class A (255.0.0) class A is between 0.0.0.0 127.255.255.255 class B is between 128.0.0.0 191.255.255.255 class C is between 192.0.0.0 223.255.255.255 Interestingly the starting numbers of each class is similar to above series of numbers. Another way to remember is: class A 0 to 127 class B 128 to 191 class C 192 to 223 * The numbers 127 and 192 are easy to rememner since 127.0.0.1 is loopback address and 192.168.0.0/16 is one of the private IP range Now let's do an example: Example 1) (Type: Class C) 192.168.1.104 with prefix /27 ==> We have /27 which falls under class C /24 (255.255.255.0) Calculating Number of Subnets: ------------------------------ 27 - 24 = 3 [Here we subtract the prefix from closest-match class prefix] 2^3 = 8 [Here we calculate the result as power of 2] Therefore, Number of Subnets = 8 Calculating Number of hosts: ---------------------------- (8 - 3) = 5 [where 8 is the number of bits in each octet and is constant] Therefore, number of hosts = 2^5 - 2 = 32 -2 = 30 (We subtract 2 because each subnet has 1 network and 1 broadcast address) Calculating Subnet Mask ------------------------- From above table, third number on the series ( 128, 192, 224) is 224. Since this is Class C prefix, (255.255.255.0) Subnet Mask for /27 subnet is 255.255.255.224 Subnet mask can also be obtained from simple math. Take 3 (27 - 24). Since there are 8 bits in each octet, the first three bits become 1 which gives us, 2^7 + 2^6 + 2^5 + 0 + 0 + 0 + 0 + 0 = 128 + 64 + 32 = 224 Calculating Each Subnets ------------------------ We have already obtained Number of hosts = 30 Including Network and broadcast, we have 32 We can now find out each subnet by adding 32 (which is the number of hosts including network and broadcast) starting from 0. So our networks are: 192.168.1.0/27 192.168.1.32/27 192.168.1.64/27 192.168.1.96/27 __Our IP Falls In This Subnet__ 192.168.1.128/27 192.168.1.160/27 192.168.1.192/27 192.168.1.224/27 You don't have to compute each subnet. To quickly identify which subnet IP belongs to, divide last octet (for class C) by subnet number 32 104/32 = 3 (discard the value after decimal point) Network Address can be calculated as: 3 * 32 = 96 That gives us 192.168.1.96/27 Broadcast Address, Minimum and Maximum Hosts: --------------------------------------------- Broadcast address is always the last address in a subnet which is also the last number before next subnet starts. In this case broadcast address is 192.168.1.127 The minimum available IP of host is the first IP after subnet's network address. In this case minimum host is 192.168.1.97 The maximum available IP of host is the IP before broadcast address. In this case maximum host is 192.168.1.126 Summary ------- Network Address: 192.168.1.96/27 Subnet Mask: 255.255.255.224 Broadcast Address: 192.168.1.127 Minimum Host IP: 192.168.1.97 Maximum Host IP: 192.168.1.126 Next Subnet: 192.168.1.128/27 Let's do another example: Example 2) (Type: Class B) 151.33.63.124 with prefix /18 ==> We have /18 which falls under class B /16 (255.255.0.0) Calculating Number of Subnets: ------------------------------ 18 - 16 = 2 [Here we subtract the prefix from closest-match class prefix] 2^2 = 4 [Here we calculate the result as power of 2] Therefore, Number of Subnets = 4 Calculating Number of hosts: ---------------------------- (8 - 2) = 6 [where 8 is the number of bits in each octet and is constant] Therefore, number of hosts = 2^6 - 2 = 64 -2 = 62 (We subtract 2 because each subnet has 1 network and 1 broadcast address) Calculating Subnet Mask ------------------------- From above table, second number on the series ( 128, 192) is 192. Since this is Class B prefix, (255.255.0.0) Subnet Mask for /18 subnet is 255.255.192.0 Subnet mask can also be obtained from simple math. Take 2 (18 - 16). Since there are 8 bits in each octet, the first three bits become 1 which gives us, 2^7 + 2^6 + 0 + 0 + 0 + 0 + 0 + 0 = 128 + 64 = 192 Calculating Each Subnets ------------------------ We have already obtained Number of hosts = 62 Including Network and broadcast, we have 64 We can now find out each subnet by adding 64 (which is the number of hosts including network and broadcast) starting from 0. So our equal hosts networks are: 151.33.0.0/18 __Our IP Falls In This Subnet__ 151.33.64.0/18 151.33.128.0/18 151.33.192.0/18 You don't have to compute each subnet. To quickly identify which subnet IP belongs to, divide last octet (for class C) by subnet number 32 124/64 = 0 (discard the value after decimal point) Network Address can be calculated as: 0 * 64 = I'll leave you to it. That gives us 151.33.0.0/18 Broadcast Address, Minimum and Maximum Hosts: --------------------------------------------- Broadcast address is always the last address in a subnet which is also the last number before next subnet starts. In this case broadcast address is 151.33.63.255 The minimum available IP of host is the first IP after subnet's network address. In this case minimum host is 151.33.0.1 The maximum available IP of host is the IP before broadcast address. In this case maximum host is 151.33.63.254 Summary ------- Network Address: 151.33.0.0/18 Subnet Mask: 255.255.192.0 Broadcast Address: 151.33.63.255 Minimum Host IP: 151.33.0.0 Maximum Host IP: 151.33.63.254 Next Subnet: 192.168.64.0/18 [Reference] Subnet Cheat Sheet: http://support.tranzeo.com/guides/network/Subnet%20Cheat%20Sheet.pdf
Wednesday, January 06, 2010
IPtables Rules to block SSH Bruteforce and Tor exit nodes
I was going through some of the old files and came across IPTables Rules to block SSH Bruteforce and Tor exit nodes. These rules are helpful in protecting your VPS/Dedicated Servers from related attacks and IP Spoofing.
IPTables Rules to limit SSH bruteforce (Download)
------------------------------------------------------------
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 7 --rttl --name SSH -j DROP
Explanation: The first lines assigns a name SSH to the packets with destination port 22. If the packet count exceeds 7 hits per 60 second for an ip address further connections are dropped. If your sshd is listening to a port other than 22 update above rules to reflect changes.
IPTables Rules to block Tor exit nodes (Download)
-------------------------------------------------------------
#!/bin/bash wget -P/tmp http://anonymizer.blutmagie.de:2505/ip_list_exit.php/Tor_ip_list_EXIT.csv if [ -f /tmp/Tor_ip_list_EXIT.csv ]; then for BAD_IP in `cat /tmp/Tor_ip_list_EXIT.csv` do iptables -A INPUT -s "$BAD_IP" -j DROP done else echo "Can't read /tmp/Tor_ip_list_EXIT.csv" fi
Explanation: The above commands sequence downloads the tor exit node list from blutmagie.de and adds IPTables rules to drop the connection with each IP address as source.
