Sheevaplug
The sheevaplug is a low-power plugcomputer that can be handy to run a tunnel and as an IPV6 router for your home, if your main router does not support IPV6, IPV6 tunnelling or IPV6 firewalling. A sheevaplug is an easy and cheap way to let your tunnel on and get an IPV6 router/firewall Warning: on installing an IPV6 tunnel on the sheevaplug, please reexamine your local firewall policy, as rules on the main router can be useless, especially regarding IPV6.
Contents
Aiccu
It's possible to configure and run an Aiccu tunnell on a sheevaplug. Aiccu does not come by default with the shipped Sheevaplug ubuntu distro (Jaunty/9.04) but you can install it later. As aiccu will ask for sixxs tunnel information (username, password), it's suggested to apply for a tunnel and install aiccu upon receiving the login details from the SixXS staff. To install, simply follow Aiccu/InstallationOnUbuntu
Setting ufw
The stock sheevaplug image comes with ufw, but it's not IPV6 capable by default. You have to follow a few step to make it work with IPV6. Please edit /etc/default/ufw to decomment and modify
IPV6=yes
While you are at it, please note (but don't modify yet) the entries:
#DEFAULT_FORWARD_POLICY="DROP"
and
IPT_SYSCTL=/etc/ufw/sysctl.conf
you have to save and disable and enable ufw to refresh the changes. Before executing the command below, please take care into verifying that your ufw is properly configured so you won't loose ssh enablig/disabling ufw, or may have to go thru a JTAG session to make the relevant changes and access ssh again.
$> sudo ufw disable
$> sudo ufw enable
You can now verify that ufw is working on IPV6 by adding a new rule. If applicable, also the relevant IPV6 entry will be automatically created. For example here is the result of allowing the www service:
$ sudo ufw status Status: active To Action From -- ------ ---- 80/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere (v6)
you can now decide which ports will be reachable on the sheevaplug. The ufw IPV6 policy in input should be 'DROP' by default, but it's better to check.
Testing
A quick and dirty ipv6 test on the sheevaplug may be performed installing an IPV6 enabled text browser, as elinks, that is ready available in the repositories.
$> sudo apt-get install elinks $> elinks ipv6.google.com
should show the ipv6 enabled version of the search engine. If the IPV6 is not working, should not be capable of reaching the site. Testing IPV6 capable services can be accomplished by an IPV6 capable host outside your lan accessing the sheevaplug via its IPV6.
IPV6 Router
The sheevaplug is quite interesting as a IPV6 router, should your main router be unable to handle IPV6. The setup is quite easy. As before, it's advisable to request a subnet and start configuring it having the subnet details handy.
sudo apt-get install radvd
will install but not configure radvd, an IPV6 advertising deamon.
sudo nano /etc/radvd.conf
will create a new configuration file. Paste the following content:
interface eth0
{
AdvSendAdvert on;
prefix xxxx:xxxx:xxx::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
where xxxx:xxxx:xxx:: is the Subnet Prefix. This prefix is under the form xxxx:xxxx:xxx::/48 but you have to change the /48 into /64 into radvd.conf. Radvd.conf will perform some checks and will not start if some prerequisites are not met. In particular, it will check for the sysctl variable:
net.ipv6.conf.all.forwarding
and it will want it true. It will not check for the network interface specific (net.ipv6.conf.eth0.forwarding for example). To set this specific flags, especially if you are using ufw, you don't have to configure /etc/sysctl.conf as frequently stated. Even if you do, chances are that ufw is changing those values later in the boot. Check /etc/default/ufw and seach for
IPT_SYSCTL=/etc/ufw/sysctl.conf
if it's set as shown, you have to put your changes into /etc/ufw/sysctl.conf. Setting manually net.ipv6.conf.all.forwarding in rc.local will not help radvd starting (radvd tries to start before rc.local is being run, so no luck). An alternative working way (but it's advisable to modify /etc/ufw/sysctl.conf) is to use a pre-proper instruction in /etc/networking/interfaces. Again, you should set net.ipv6.conf.all.forwarding and not net.ipv6.conf.eth0.forwarding or similar. Radvd should start now, and IPV6 enable clients should be automatically configured to be routed thru the sheevaplug. One last step is necessary. In /etc/default/ufw set
DEFAULT_FORWARD_POLICY="ACCEPT"
and clients should start going in IPV6 right now.
WARNING: this is just for a test. You should write proper UFW rules to secure the network after confirming that the clients are going in ipv6 fine.
