New Network Setup

[GeekGoneCrazy]

Hello all,

I've been doing a fair amount of work with ipv6 recently, yet again. This time i've gotten it up, as well as getting apache dishing out web pages.

But my setup is majorly unsecure. Nothing is ipv6 aware accept the server. Thinking I'm going to have to do a little work with ip tables. Fun stuff! My question is on setup.

Hardware:

• I have a cheap little ActionTec dsl modem.
  
• 2 Wireless N routers. I have been able to get ddwrt on one of them. I'd like to run one as either a guest access point, or put all wireless g/b traffic on it and N on the other. Not sure about that.
  
• 5 port Gigabit switch.
  
• 24 port 10/100 3com switch. Don't have to use it. Loud as all get out.
  
• Quad core system running 5 virtual machines. Gigabit card in it.
  
• 3 machines with p4's 1.4-1.7 GHz 512mb ram in each. Thinking will use the 1.7 for a firewall box.
  

What I would like:

I want to run ipv4/ipv6 Mostly for my servers, but would like to try out ipv6 access in the whole house.

I'd like to isolate my server from the rest of the house. I do have a couple of nics.

Would like to eventually setup DNS. Going through HE.net cert deal, plus need to learn the ends and outs anyways.

Any suggestions on setting my network up a little more securely?

Not wanting a step by step, I just would like some suggestions.

I'm 100% linux. So would prefer to stay with solutions on linux.

Thanks,

[buffy]

If you want a I can provide you with a IPv6 webserver to help with your cert.

www.amg-it.co.uk is now IPv6 :D

[GeekGoneCrazy]

Thanks, but i already have passed that section of the cert. I had absolutely no trouble getting that finished. My site is already setup with an AAAA record. I just do not wish to leave my server wide open, with the ipv6 address for it out there and no protection.

[Infiltrator]

Since most Linux Firewall distros like smoothwall, pfsense don't natively support IPv6 as of yet. What you could do is, set up a stand alone box with ip tables and have it routing all the IPv6 traffic.

Now to isolate the servers, you could set up two dedicated nics on different subnets and use IP tables to allow/deny any traffic to/from it.

[GeekGoneCrazy]

So 3 nics in the machine. One from the dsl, one for servers, and the other for the rest of the network.

Will the machines be able to get ipv6 addresses if the ipv6 router/box is behind a wireless router?

I already have a box with ubuntu server on it. Radvd already installed. One /64 subnet configured already.

[Infiltrator]

So 3 nics in the machine. One from the dsl, one for servers, and the other for the rest of the network.

Will the machines be able to get ipv6 addresses if the ipv6 router/box is behind a wireless router?

I already have a box with ubuntu server on it. Radvd already installed. One /64 subnet configured already.

If the computers and the DHCP server are on the same subnet than I'd say yes. To test it out, see if you can get an ip address from the DHCP server, if you can then its working fine.

[GeekGoneCrazy]

Interesting... I just plugging the machine into the router. Radvd is giving the machines ipv6 addresses. But Its not making use of the tunnel. Is this not automatic? I have the tunnel setup on the box. Is there something else needing done?

[Infiltrator]

Interesting... I just plugging the machine into the router. Radvd is giving the machines ipv6 addresses. But Its not making use of the tunnel. Is this not automatic? I have the tunnel setup on the box. Is there something else needing done?

What are you using for the tunnel? What protocol?

Edited March 17, 2011 by Infiltrator

[GeekGoneCrazy]

Using Hurricane Electrics Tunnelbroker.

Its fixed! All ip's in my /64 are pingable(if its not a word it should be). I have 2 web servers. It automatically picked up the ipv6 address and is accessible. I think I had the end tunnel address wrong. I had their end of the tunnel in instead of mine.

Right now its setup and working as:

dsl modem->Linksys router->all hosts(including firewall box with radvd)

Going to attempt to change it to:

                --->eth1->linksys->general hosts
               /
dsl->firewall-<
               \
                --->eth2->ddwrt->Servers

Hopefully it doesn't break again. lol

I do most of my own web hosting. So I plan on adding a dns server. Getting tired of adding proxy's to the different virtual machines with apache.

Should I put it in with the firewall? Or how should I set it up?

Thanks,

[edit]Actually looks like I will still have to do apache ProxyPass to the internal webservers. Is there a better route?

Edited March 17, 2011 by GeekGoneCrazy

[buffy]

well done lad, I am finding the move to IPv6 a little on the complicated as its quite large, and I think I forgot to sleep for the last few days now.

[GeekGoneCrazy]

well done lad, I am finding the move to IPv6 a little on the complicated as its quite large, and I think I forgot to sleep for the last few days now.

It is a little harder than would be expected. But not that bad. I hear you. I've been working on it for about a week. Finally decided I would learn it, or else.

http://ipv6.geekgonecrazy.com/

I'm a little frustrated that my mac insists on selecting the A record first. I was under the impression it would query for AAAA first.

Edited March 17, 2011 by GeekGoneCrazy

[Infiltrator]

Using Hurricane Electrics Tunnelbroker.

Its fixed! All ip's in my /64 are pingable(if its not a word it should be). I have 2 web servers. It automatically picked up the ipv6 address and is accessible. I think I had the end tunnel address wrong. I had their end of the tunnel in instead of mine.

Right now its setup and working as:

dsl modem->Linksys router->all hosts(including firewall box with radvd)

Going to attempt to change it to:

                --->eth1->linksys->general hosts
               /
dsl->firewall-<
               \
                --->eth2->ddwrt->Servers

Hopefully it doesn't break again. lol

I do most of my own web hosting. So I plan on adding a dns server. Getting tired of adding proxy's to the different virtual machines with apache.

Should I put it in with the firewall? Or how should I set it up?

Thanks,

[edit]Actually looks like I will still have to do apache ProxyPass to the internal webservers. Is there a better route?

From a security point of view, I would set up a proxy at the Apache level, rather than setting up at the Firewall level. Because once you start adding/changing rules at the firewall, the network becomes less secure.

[GeekGoneCrazy]

From a security point of view, I would set up a proxy at the Apache level, rather than setting up at the Firewall level. Because once you start adding/changing rules at the firewall, the network becomes less secure.

So set up apache on it to do the forwards. Instead of trying to do it at the iptables level?

Edited March 17, 2011 by GeekGoneCrazy

[Infiltrator]

So set up apache on it to do the forwards. Instead of trying to do it at the iptables level?

Correct!

[GeekGoneCrazy]

Correct!

Sweet, Actually had just finished doing that. Looks like i'm off to a good start.

IPv6 is crazy!

I have a /48 which can have 65536 /64 subnet's each /64 can have 18,446,744,073,709,551,616 Hosts?

Which is something like 1,208,925,819,614,629,174,706,176 total? Sheesh!

I can finally have a static ip or 2. ;)

Watch ISP's like AT&T try and give everyone a /128 when they finally dual stack.

[Infiltrator]

Sweet, Actually had just finished doing that. Looks like i'm off to a good start.

IPv6 is crazy!

I have a /48 which can have 65536 /64 subnet's each /64 can have 18,446,744,073,709,551,616 Hosts?

Which is something like 1,208,925,819,614,629,174,706,176 total? Sheesh!

I can finally have a static ip or 2. ;)

Watch ISP's like AT&T try and give everyone a /128 when they finally dual stack.

For the moment I happy with IPv4 and I am not really eager to migrate to IPv6.

Most consumer network products are still IPv4 based, so will wait until they have matured enough.

[3TeK]

Just get a mikrotik or build a box with RouterOS. It supports IPv6, and it's ready to go.

This is the one i'm running (ipv4 only)

http://www.roc-noc.com/mikrotik/routerboard/rb750g.html

[GeekGoneCrazy]

Just get a mikrotik or build a box with RouterOS. It supports IPv6, and it's ready to go.

This is the one i'm running (ipv4 only)

http://www.roc-noc.com/mikrotik/routerboard/rb750g.html

I started to get a routerOS router a while back after seeing them in linux journal a couple of times. Some how the price jacked up from 39 to a hundred something at check out. Can't remember the specifics, but quickly turned me off of the product. Looks like great devices though.

[3TeK]

I love them. We run them for everything. They are finally coming out with that 750 w/ wireless N built in (2 months after i buy a new router)

I'd also recommend the 493AH or 493G they have 8 ports and have a rackmount kit. Baltic Networks has some cool Mikrotik stuff too.

[GeekGoneCrazy]

Alright another issue! I think I can get all ipv6 forwarding stuff working. Is it possible to port forward depending on the domain name coming in? All port 80 and 443 are taken care of by apache. But, ssh and others? Is this possible?

Ssh into 1.example.com forwards to box 1

Ssh into 2.example.com forwards to box 2

Possible? Iptables?

[Infiltrator]

Alright another issue! I think I can get all ipv6 forwarding stuff working. Is it possible to port forward depending on the domain name coming in? All port 80 and 443 are taken care of by apache. But, ssh and others? Is this possible?

Ssh into 1.example.com forwards to box 1

Ssh into 2.example.com forwards to box 2

Possible? Iptables?

Yes it is possible, but you will need to set up different ports for SSH and enable port forwarding as well.

On a side note, I don't think it would be possible to run two of the same services (SSH) on the same port, it has to point to a different port.

[GeekGoneCrazy]

Yes it is possible, but you will need to set up different ports for SSH and enable port forwarding as well.

On a side note, I don't think it would be possible to run two of the same services (SSH) on the same port, it has to point to a different port.

So no way to proxy ssh and other stuff through depending on the domain name its attempting to reach?

I already have different ports open for each needed machine. So I have it working that way. Trying to limit holes and force everything through this box so I can monitor it. Not to mention, remembering ssh user@1.example.com is a lot easier to remember than ssh user@1.example.com:2265 or something random like that.

Not in anyway critical or really a security issue. Just figured it must be possible.

Edited March 26, 2011 by GeekGoneCrazy

[Infiltrator]

So no way to proxy ssh and other stuff through depending on the domain name its attempting to reach?

I already have different ports open for each needed machine. So I have it working that way. Trying to limit holes and force everything through this box so I can monitor it. Not to mention, remembering ssh user@1.example.com is a lot easier to remember than ssh user@1.example.com:2265 or something random like that.

Not in anyway critical or really a security issue. Just figured it must be possible.

I haven't tried this before, but I think it may be possible through the use of virtual directories in Apache.

Edit: Or a DNS server.

Edited March 26, 2011 by Infiltrator