Author: Cao Jianghua
IPv6 (Internet Protocol Version 6) protocol is a next-generation network protocol for IPv4, which has many new features and features. IPv6 from the IP address crisis and the development of IPv6 as the next generation of Internet protocols have been recognized by all parties, and the development of the Internet is inseparable from IPv6 support and application. The IPv6 protocol and IPv4 protocols are not large in the use of system tools. Linux is the first to support IPv6 in all operating systems. Here you will introduce the address of IPv6 under Linux, routing settings, firewall configuration, security tools, enable you to quickly transition from IPv4 from IPv4 in the Linux network environment.
Configure IPv6 protocol
The author is deploying IPv6 under Linux as an example of Mandrake 9.1 Linux.
1, load IPv6 module
Compared with the Windows system, Linux has better support for IPv6. Generally, the Linux distribution of the 2.4 kernel can be used directly to use IPv6. To see if the system IPv6 module is loaded, if not, use the command manual loading, this requires super User's permissions. Then use command detection, and the IPv6 address is displayed at the fifth row in Figure 1 (INET6 Addr: Fe80 :: 200: E8FF: Fea0: 2586/64) Proof IPv6 has been loaded.
# modprobe ipv6
#Ifconfig -a
Show the following:
Figure 1 shows that IPv6 address has been loaded
2, use the ping command to detect if the IPv6 address of the NIC is valid
When using the ping6 command and IPv4, you must specify a network card interface. Otherwise, the system will not know to send the packet to that network device, i means interface, Eth0 is the first network card, c represents the loop, 3 indicates that ping6 operation three times. The results are shown in Figure 2:
# ping6 -i eth0 -c 1 fe80 :: 200: E8FF: Fea0: 2586
3, use the IP command
The IP command is a powerful network configuration tool in the iProute2 package that replaces some traditional network management tools. Such as: ifconfig, Route, etc.
(1) Use the "IP" command to view the routing table of IPv6:
# / Sbin / ip -6 route show dev eth0
(2) Add a routing table using the "IP" command:
# / sbin / route -a inet6 add 2000 :: / 3 GW 3ffe: fff: 0: F101 :: 1
(3) Set the IPv6 multicast NEighbor Solicitation with the IP command
IPv6 NEIGHBOR Discovery inherits IPv4 ARP (Address Resolution Protocol Address Resolution), you can reaffirm the network neighbor information, and you can edit / delete it. Use the IP command to know the setting of the network neighbors (where 00: 01: 24: 45: 67: 89 is a MAC address of the data link layer of the network device):
#ip -6 neigh show fe80 :: 201: 23ff: Fe45: 6789 Dev Eth0 LL Addr 00: 01: 24: 45: 67: 89
Router Nud Reachable
Linux IPv6 version of the network environment firewall
installation:
The key to the firewall based on the Linux 2.4 kernel is iptables. At 2.2 series, it replaces IPFWADM before IPChains and 2.0 series. If you want to use any form of firewall, you need to install iptables.
(1) Download IPV6 version of iptables, download links: ftp://ftp.uni-bayreuth.de/pub/ linux / ark linux / 1.0-0.alpha8.2/i586/iptables-IPv6-1.2.7A-1ARK .i586.rpm
(2) Install the firewall:
#rpm -ivh iptables-ipv6-1.2.7a-1ark.i586.rpm
Configure iptables
iptables is an IP packet filtering system integrated with mainstream 2.4.x version Linux kernel. If the Linux system is connected to the Internet or LAN, server, or a proxy server that connects to the LAN and the Internet, the system facilitates better control of the IP packet filtering and firewall configuration on the Linux system. Netfilter / IPTables IP Packet Filtering System is a powerful tool that can be used to add, edit, and remove rules. These rules are rules followed and composed when making packet filtration determinations. These rules are stored in a dedicated packet filtering table, and these tables are integrated in the Linux kernel. In the packet filtering table, the rule is poured in the chain of our so-called chain. These rules are discussed in detail below and how to build these rules and group them in the chain.
(1) Clean the old rules:
# ip6tables [-fxz]
Parameter Description:
-F: Clear all set rules;
-X: Kill all the tables created by all users.
-Z: Nothing of all chains and flow statistics are zero.
(2) Establish policy
# ip6tables [-t tables] [-p] [INPUT, OUTPUT, Forward, PREROUTING, OUTPUT, Post, PREROUTING, OUTPUT, POSTROARD] [Accept, Drop] [-p TCP, UDP] [-S ip / network] [--sport ports] [ -d ip / network] [--dport ports] -j
Parameter Description:
-t: Definition table (TABLE).
TABLES: The name of the table,
-P: Define Policy (Policy).
INPUT: The packet is the direction of the input host;
OUTPUT: Packet is the direction of the output host;
Forward: The packet is transferred outwardly in the packet without entering the host;
PREROUTING: Work before entering the route;
OUTPUT: Packet is the direction of the output host;
PostRouting: Work after entering the route.
TCP: Packet of TCP protocol.
UDP: Packet of UDP protocol;
-S: IP or network of source packets.
--Sport: The port (port) of the source packet.
-d: The IP of the target host is or the network.
--DPORT: Target host port (port).
Accept: Accept the packet.
Drop: Discard the packet.
(3) Example:
1. Allow ICMPv6 packets to enter the host (ie, allowing ping host IPv6 addresses):
# / sbin / ip6tables -a input -i sit -p ICMPV6 -J ACCEPT2, allows ICMPv6 packets from host output:
# ip6tables -a output -o sit -p ICMPV6 -J ACCEPT
3, allowing the IP address to be 3FFE: FFFF: 100 :: 1/128 Data Using SSH
# ip6tables -a input -i sit -p tcp -s 3ffe: fff: 100 :: 1/128 --Sport 512: 65535
? --DPORT 22 -J ACCEPT
The full name of SSH is Secure Shell. By using SSH, you can encrypt all transmitted data, so that the "intermediate server" is impossible to achieve, and DNS and IP spoof can also be prevented. There is also an additional advantage that the data transmitted is compressed, so the speed of the transmission can be accelerated. SSH has a lot of features that can be used in place of Telnet, but also providing a secure "channel" for FTP, POP, and even PPP. SSH is bound to port 22, and its connection uses RSA encryption using a negotiation. After identification is completed, all of the traffic behind is encrypted using IDEA. The SSH (Secure Shell) program can log in to the remote host over the network and execute the command. SSH's encryption tunnel protection is only the security of intermediate transmission, making any usual sniffing tool software unable to get the content.
IPv6 network security tool
NMAP is released from the GNU General Public License (GPL) of the Foundation Foundation, which is developed and maintained by Fyodor.
Www.insecure.org/nmap snaps free download. NMAP is an excellent port scan tool running in a single host and large network, with high speed, secret, can bypass firewall. It supports multiple protocols, such as TCP, UDP, ICMP, etc. NMAP also has a lot of high performance and reliability features, such as dynamic delay calculations, package timeout, parallel port scan, pass parallel PING6 detects hosts. It starts support IPv6 from version 3.10. Download link:
Http://gd.tuwien.ac.at/infosys/security/nmap/nmap-3.48.tgz
The NMAP installation and compilation process is as follows:
#TAR ZXVF NMAP-3.48.tgz
#CD NMAP-3.48
# ./Configure;# make; #make install
NMAP Scan Type
NMAP's syntax is quite simple: NMAP's different options and -s flags form different scan types, IPv6 version of NMAP supports two scanning methods:
-St, PORT Scanning, is often referred to as port scanning.
-Ss, TCP SYN, is often referred to as semi-development scanning.
NMAP Scan Port Instance:
# nmap -6 -st :: 1
Starting NMAP 3.48 (
http://www.insecure.org/nmap/) AT 2003-12-23 11:55 UTC
All 1657 Scanned Ports ON :: 1 Are: Closed
NMAP Run Completed - 1 IP Address (1 Host Up) Scanned in 20.521 Seconds
The output scan report shows that the NMAP scanned 1657 ports, one is the other to turn off.
Note: If you intend to use NMAP in IPv6 network, the following experience may help you: ● Avoid misunderstanding. Don't choose to test the scanning target of NMAP. Many units treat port scans as malicious behavior, so test NMAP is best performed in the internal network. If necessary, you should tell the colleagues you are experimenting with port scan because scanning may trigger IDS alerts and other network issues.
● Establish a safety baseline. With the help of NMAP, reinforce the network, find out which systems and services may be attacked, the next step is to establish a security baseline from these known systems and services, and will be conveniently Execute it according to this safety basis.
If you want to view Linux programs working in IPv6 protocol networks to access:
http://www.netcore.fi/pekas/ Linux / IPv6 / Some of the RPM packs supported by IPv6 are available here.
Table 1 Linux network IPv4 and IPv6 functional controls
IPv4
IPv4 loop address is 127.0.0.1
Source address and destination location are 32 bits (4 bytes). IPv4 can provide 429496,7296 addresses.
IPv4 uses the Internet Group Management Communication Protocol (IGMP) to manage this unit network group member identity.
IPSec support is selective.
In the IPv4 header, the router does not identify PayLoad for QoS processing.
Both the router and the transmitter support data segments.
The header includes an inspection value.
The header includes an option.
Address Resolution Communication Protocol (ARP) Use the broadcast ARP Request file to resolve the IPv4 address as a linkage address.
Use the Internet Group Management Communication Protocol (IGMP) to manage this unit network group member identity.
Use ICMP Router Discovery to determine an IPv4 address (selectivity) with the best preset gateway.
Use the broadcast address to transfer all nodes on the subnet.
You must manually configure or use the DHCP configuration.
Use the host address (A) resource record in the Network Domain Name System (DNS) to correspond to the IPv4 address.
Use the indicator (PTR) resource record in the in -addr.Arpa DNS domain, and the IPv4 address corresponds to the host name.
IPv6
IPv6's loop address is 0000: 0000: 0000: 0000: 0000: 0000: 0000: 0001 can be short-written as: 1.
Source address and destination location are 128 bits (16 bytes). IPv6 increases the original 32-bit address space to 128 digits, the number is 2 128 times, which can provide 6 × 1023 network addresses per square meter of the earth.
IPv6 replaces IGMP using the Multicast Listener Discovery (MLD) message.
IPSec support is required.
In the IPv6 Baotou, the router uses the Flow Label field to identify the PayLoad for QoS processing.
The router does not support data fragments. Transfer only the host supports data segment.
The header does not include the check value.
All option data is moved to the IPv6 expansion header.
Replace the ARP Request with multiple disseminated neighbor solicitation messages.
Replace IGMP with Multicast Listener Discovery (MLD) message.
Use ICMPV6 Router Solicitation and Router Advertisement messages to replace ICMPv4 Router Discovery, which is required.
No IPv6 broadcast address. Instead, use the link - all node multi-point propagation addresses in this field.
No need to manually configure or DHCP.
Use the host address (AAAA) resource record in the Network Domain Name System (DNS) to the IPv6 address.
Use the indicator (PTR) resource record in the IPv6.Int DNS domain, and the IPv6 address corresponds to the host name.
Full article:
Said.com - Netcher World
