- Find out the 6to4 tunneled IPV6 address for your IPv4 address: I use 6to4 address calculator
- You are going to get a /48 subnet, that is, you will have the equivalent of 65536 entire IPv4 internets to allocate inside your machine. I generally use the one with all zeroes and a single one at the end as the address of my 6to4 gateway, so my IPv6 address ends up looking like: 2002:dead:beef::1. Notice that '::'? That is IPv6 for "all the 16 bit blocks between here are zero".
- Edit your /etc/network/interfaces file to add this interface:iface tun6to4 inet6 v4tunnel address 2002:YOUR-IPV6-ADDRESS-GOES-HERE!!!!!! netmask 16 remote 192.88.99.1 # anycast gateway endpoint any local YOUR-IPv4-ADDRESS-GOES-HERE!!!!! tty 255 up ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 down ip -6 route flush dev tun6to4
- Turn on your interface: ifup tun6to4
- Ping google's machine: ping6 ipv6.google.com
- Go back and add the auto tun6to4 to your /etc/network/interfaces
- Pick a subnet number. I'm going to use 1101 in this example, because it is the one I'm using. Any 4 digit hex number will suffice.
- Edit your /etc/network/interfacesagain to add the subnet to your internal ethernet device:iface eth1 inet6 static address YOUR-FIRST-THREE-PARTS:1101::1 # 1101 is 17.1, it cohabits my 172.17.1.* netmask 64
- Bounce your internal interface to bring it up. (You could also skip the ifdown and use the force flag on ifup if you didn't want to risk chopping your legs off if something goes wrong.) ifdown eth0 ; ifup eth0ifdown eth0 ; ifup eth0
- Note: I have a problem here. It doesn't add the route for that network, so I have to ip route add YOUR-FIRST-THREE-PARTS:1101::/64 dev eth0I have no idea why. If you seeDead loop on virtual device tun6to4, fix it urgently!in your syslog, you forgot this step.
- aptitude install radvd (route advertiser. It won't start without a config)
- Turn on IPv6 forwarding, edit /etc/sysctl.conf and uncomment the line that saysnet.ipv6.conf.all.forwarding=1Then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding to make it happen without a reboot.
- Create your /etc/radvd.conf file, something like this should work…interface eth1 <<<<<< make that your network device { AdvSendAdvert on;
prefix YOUR-FIRST-THREE-PARTS:1101::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; };
- Restart radvd: /etc/init.d/radvd restart
# open loopback wide /sbin/ip6tables -A INPUT -i lo -j ACCEPT /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
# drop everything inbound by default /sbin/ip6tables -P INPUT DROP /sbin/ip6tables -P FORWARD DROP /sbin/ip6tables -P OUTPUT ACCEPT
# forwarding basis: outgoing is fine, incoming is not /sbin/ip6tables -A FORWARD -i tun6to4 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow established /sbin/ip6tables -A FORWARD -o tun6to4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # allow outgoing /sbin/ip6tables -A FORWARD -i eth0 -o eth0 -j ACCEPT # we can talk amongst outselfs # I don't like the preceding rule, it combinatorially explodes with more than 1 interface
# allow ICMP /sbin/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
# open my ports /sbin/ip6tables -A INPUT -i tun6to4 -p tcp --destination-port 80 -j ACCEPT /sbin/ip6tables -A INPUT -i tun6to4 -p tcp --destination-port 22 -j ACCEPT
# see the failures /sbin/ip6tables -A FORWARD -m limit --limit 15/minute -j LOG --log-level info /sbin/ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level info