Running a website on ip6

I started quite a while ago moving a pet project to ip6. While it doesn’t involve any programming per se, it turned out to be quite a complicated process involving multiple configuration steps. Thus, for your enjoyment I present: running a website on ip6 with Ubuntu 14.04 (older versions won’t work because their kernel doesn’t support port redirection).

The setup

The site (for the sake of argument, let’s assume it’s example.com) runs on a virtual ubuntu 14.04 server with a static ip4 and ip6 address and the software stack consists of:

iptables firewall for both ip4 and ip6. Firewall blocks anything incoming but HTTP, SSH and ICMP.

A varnish setup which runs on port 6081.

A tomcat setup which runs on localhost port 8080.

How to test?

I used to http://ipv6-test.com/ to verify that the site runs well with ip6. Alternatively a:

wget -6 --header "Host: example.com" http://example.com


or

wget --header "Host: example.com" http://[2606:2800:220:6d:26bf:1447:1097:aa7]

if DNS doesn’t work yet.

If you are just starting with ip6, nothing of that should work, yet.

Getting IP6 running

 

1. The first step is to get a static ip6 address from your provider for your site. There’s not much I can write here about this step, your provider will (or not) tell you what to do.

2. Next you need to add the IP6 address from step 1 to the DNS record for your site. Again, providers have different ways for doing this, I got used to mangling with the zone file directly, so you’d do something like this:

@                        IN AAAA    2606:2800:220:6d:26bf:1447:1097:aa7
www                      IN AAAA    2606:2800:220:6d:26bf:1447:1097:aa7

3. After a while (hours!) you should verify that the internet knows about your ip6 server by using the interactive mode of nslookup:

> nslookup

> set q=any

> example.com



Non-authoritative answer:Non-authoritative answer:
example.com    has AAAA address 2606:2800:220:6d:26bf:1447:1097:aa7



4. Now we’ll use ip6tables to punch a few wholes into the firewall running on the server. You can get the script also from github.

#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="eth0"
echo "Starting IPv6 firewall..."
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
$IPT6 -t nat -F
$IPT6 -t nat -X

#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP

# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT

############# add your custom rules below ############
### open IPv6  port 80
$IPT6 -A INPUT -p tcp --destination-port 80 -j ACCEPT

$IPT6 -A INPUT -p tcp --destination-port 6081 -j ACCEPT

### open IPv6  port 22
$IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT

############ End custom rules ################

#redirect ports
$IPT6 -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-port 6081


#### no need to edit below ###
# log everything else

$IPT6 -N LOGGING
$IPT6 -A INPUT -j LOGGING
$IPT6 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPT6 -A LOGGING -j DROP

The script, sans port redirection, was inspired by this article.

What it does is mainly instruct the firewall to drop everything ip6 related, then open ports 22, 80, 6081, allow any connection that is already open, allow ICMP and redirect traffic from port 80 to 6081.

Note that we don’t need to do anything about port 8080 where tomcat is running, because a) it runs on the safe local network interface and b) varnish will redirect the traffic for us.

5. Verify that everything works:

ping6 example.com


wget -6 --header "Host: example.com" http://example.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s