Changes

Jump to navigation Jump to search

Raspberry Pi IPv6 firewall tester installation (view source)

Revision as of 21:57, 1 October 2014

94 bytes removed ,  21:57, 1 October 2014
no edit summary
Line 54: Line 54:  
By default IPv6 support is disabled in later Arch Linux releases. To enable it, edit '''/boot/cmdline.txt''' and remove the '''ipv6.disable=1''' statement from the beginning of the line.
 
By default IPv6 support is disabled in later Arch Linux releases. To enable it, edit '''/boot/cmdline.txt''' and remove the '''ipv6.disable=1''' statement from the beginning of the line.
    +
Following this modification it is sensible to reboot your Raspberry Pi and check that it has been correctly allocated an IPv6 address, using ifconfig:
 +
 +
  # ifconfig eth0
 +
  eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 +
        inet AA.BB.C.DD  netmask 255.255.255.0  broadcast AA.BB.C.255
 +
        inet6 '''2001:470:971f:3:ba27:ebff:fecc:dc7c'''  prefixlen 64  scopeid 0x0<global>
 +
        inet6 fe80::ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x20<link>
 +
        ether b8:27:eb:cc:dc:7c  txqueuelen 1000  (Ethernet)
 +
        RX packets 721789  bytes 103366589 (98.5 MiB)
 +
        RX errors 0  dropped 48  overruns 0  frame 0
 +
        TX packets 231210  bytes 130480722 (124.4 MiB)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
As a general starting point please read the [https://wiki.archlinux.org/index.php/Iptables ArchLinux IPtables documentation].  
 
As a general starting point please read the [https://wiki.archlinux.org/index.php/Iptables ArchLinux IPtables documentation].  
Line 226: Line 238:  
   # iptables-save >/etc/iptables/iptables.rules
 
   # iptables-save >/etc/iptables/iptables.rules
   −
Note that it is import to check full functionality still exists with your firewall in place - this particularly applies to address allocation (e.g. DHCP and SLAAC) procedures which may mean that a misconfigured firewall makes your Raspberry Pi unreachable. This is one reason why it is useful to develop the two rulesets (IPv4 and IPv6) separately, since if you misconfigure one firewall and lose connectivity then you can fall back to the working protocol version to correct your mistake. Once you're happy that both firewall sets are correct then you can insert ''both'' sets into '''/etc/rc.conf''' DAEMONS statement before the network module is called:
+
Note that it is import to check full functionality still exists with your firewall in place - this particularly applies to address allocation (e.g. DHCP and SLAAC) procedures which may mean that a misconfigured firewall makes your Raspberry Pi unreachable. This is one reason why it is useful to develop the two rulesets (IPv4 and IPv6) separately, since if you misconfigure one firewall and lose connectivity then you can fall back to the working protocol version to correct your mistake. Once you're happy that both firewall sets are correct then you can enable the services from boot:
   −
  DAEMONS=(!hwclock syslog-ng '''iptables''' '''ip6tables''' network openntpd @netfs @crond @sshd @mysqld @httpd)
   
   # systemctl enable ip6tables
 
   # systemctl enable ip6tables
 +
  # systemctl enable iptables
    
You can check for dropped/logged packets (in the examples above logging is included for the IPv6 packet filter) using the following command:
 
You can check for dropped/logged packets (in the examples above logging is included for the IPv6 packet filter) using the following command:
Line 313: Line 325:     
   snd_bcm2835
 
   snd_bcm2835
 +
 +
Note: this step appears to be unnecessary with current versions of archlinux.
      Line 429: Line 443:  
   # ps -ef |grep -i mysql
 
   # ps -ef |grep -i mysql
 
   root      392    1  0 Aug25 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --user=mysql
 
   root      392    1  0 Aug25 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --user=mysql
   mysql      688  392  0 Aug25 ?        01:47:48 /usr/bin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin
+
   mysql      688  392  0 Aug25 ?        01:47:48 /usr/bin/mysqld --basedir=/usr --datadir=/var/lib/mysql ........
                                                   --user=mysql --log-error=/var/lib/mysql/alarmpi.err --pid-file=/var/lib/mysql/alarmpi.pid
+
                                                   --user=mysql --log-error=/var/lib/mysql/alarmpi.err .......
 
                                                   --socket=/var/run/mysqld/mysqld.sock --port=3306
 
                                                   --socket=/var/run/mysqld/mysqld.sock --port=3306
 
  −
It is now worth checking that your Raspberry Pi has been correctly allocated an IPv6 address, using ifconfig:
  −
  −
  # ifconfig eth0
  −
  eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
  −
        inet AA.BB.C.DD  netmask 255.255.255.0  broadcast AA.BB.C.255
  −
        inet6 '''2001:470:971f:3:ba27:ebff:fecc:dc7c'''  prefixlen 64  scopeid 0x0<global>
  −
        inet6 fe80::ba27:ebff:fecc:dc7c  prefixlen 64  scopeid 0x20<link>
  −
        ether b8:27:eb:cc:dc:7c  txqueuelen 1000  (Ethernet)
  −
        RX packets 721789  bytes 103366589 (98.5 MiB)
  −
        RX errors 0  dropped 48  overruns 0  frame 0
  −
        TX packets 231210  bytes 130480722 (124.4 MiB)
  −
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
       
Retrieved from ‘https://wiki.chappell-family.com/wiki/index.php?title=Special:MobileDiff/354

Navigation menu