#!/bin/bash## Shiran Guez CCIE 20572## Create a 6to4 IPv6 tunnel, allow an easy step into the IPv6 world## should run the script with root or sudo# curl is needed for External IP address retrive## GENERAL Note :## The below is an example of a tcpdump output from the test performed by this script, you can see that first we generate an IPv6 packet that is translated and sent to the anycast and answer is recived back from anycast address.#12:13:29.215403 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2002:5744:2e00::1 > 2a00:1450:400c:c01::69: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1#12:13:29.215417 IP (tos 0x0, ttl 200, id 0, offset 0, flags [DF], proto IPv6 (41), length 124)# 10.0.0.4 > 192.88.99.1: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2002:5744:2e00::1 > 2a00:1450:400c:c01::69: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1#12:13:29.583505 IP (tos 0x80, ttl 245, id 0, offset 0, flags [DF], proto IPv6 (41), length 124)# 192.88.99.1 > 10.0.0.4: IP6 (class 0x80, hlim 55, next-header ICMPv6 (58) payload length: 64) 2a00:1450:400c:c01::69 > 2002:5744:2e00::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1#12:13:29.583505 IP6 (class 0x80, hlim 55, next-header ICMPv6 (58) payload length: 64) 2a00:1450:400c:c01::69 > 2002:5744:2e00::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1##_START_6TO4_ () {LOCAL_IP_ADDR=`ifconfig | grep "inet " | grep -v "127.0." | awk -F : '{print $2}' | awk '{print $1}'`EXTEN_IP_ADDR=`curl corz.org/ip`ARRR_6TO4_IPV6=$(printf "2002:%02x%02x:%02x%02x::1" $(echo $EXTEN_IP_ADDR | tr "." " "))NETWORK_PREFIX=$(printf "2002:%02x%02x:%02x%02x:1::/64" $(echo $EXTEN_IP_ADDR | tr "." " "))ETH0_IPV6=$(printf "2002:%02x%02x:%02x%02x:1::1/64" $(echo $EXTEN_IP_ADDR | tr "." " "))## Create the tunnelip tunnel add tun6to4 mode sit ttl 200 remote any local $LOCAL_IP_ADDRip link set dev tun6to4 upip -6 addr add $ARRR_6TO4_IPV6/48 dev tun6to4ip -6 addr add $ETH0_IPV6 dev eth0ip -4 addr add $EXTEN_IP_ADDR dev tun6to4#Comment: RFC 3068#Comment: http://www.rfc-editor.org/rfc/rfc3068.txt#Comment: This block is used by the multiple, separately operated networks#Comment: and often originates from many different Autonomous Systems.#Comment: The below add a route redirecting the outgoing traffic to the anycast address.ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1ip -6 route add $NETWORK_PREFIX dev eth0 metric 1# Display and test results_SHOW_}_STOP_ALL_ () {ip -6 route flush dev tun6to4ip -6 route flush scope globalip -6 addr flush scope globalip link set dev tun6to4 downip tunnel del tun6to4}_REFRESH_TUNNEL_ () {_STOP_ALL__START_6TO4_}_SHOW_ () {echo " =============== 6to4 Dynamic Tunnel ===================="echo " ETH0 IPV6 ADDR : $(echo "`ip -6 addr | grep -A 2 eth0 | grep inet6 | awk '{print $2}'`")"echo " TUNNEL IPV6 ADDR : $(echo "`ip -6 addr | grep -A 2 tun6to4 | grep inet6 | awk '{print $2}'`")"echo " Testing Connectivity please wait..."# TEST IS PERFORMED TO ONE OF GOOGLE.COM IPV6 ADDR 2a00:1450:400c:c01::69echo " TEST RESULT : $(ping6 -c 1 2a00:1450:400c:c01::69 > /dev/null && echo "SUCCESS" || echo "FAILED TO CONNECT" ;)"}case "$1" instart)_START_6TO4_;;stop)_STOP_ALL_;;show)_SHOW_;;refresh)_REFRESH_TUNNEL_;;*)echo "Usage: tunnel6 {start|stop|refresh|show}"exit 1;;esacexit 0
Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts
Sunday, June 19, 2011
IPv6 6to4 Tunnel using Linux
I have created for my self a script that allow me to create a 6to4 tunnel in one command, I would like to share with you the results:
Wednesday, November 03, 2010
IPIP tunnel creator via bash
1: #!/bin/bash
2: #
3: # Tunnel ipip Automation
4: # Creator: Shiran Guez
5: #
6: TUN_ETH="eth0"
7: IP_DEST_EXT=""
8: TUNNEL_IP_SRC=""
9: TUNNEL_IP_DST=""
10: _CREATE_ () {11: echo "Please enter the name of your local interface [eth0 is default]: "
12: echo "[ To Skip enter >>>skip<<< ]"
13: while :;
14: do 15: read COMM_ETH16: if [ "$COMM_ETH" == "skip" ] ;then
17: break
18: elif [ "$COMM_ETH" == "eth0" ] ;then
19: break
20: else
21: ifconfig "$COMM_ETH" >/dev/null
22: if [ $? -eq 0 ] ;then
23: TUN_ETH="$COMM_ETH"
24: break
25: else
26: echo "You have entered a wrong ethernet interface"
27: echo "Please try again: "
28: fi 29: fi 30: 31: done32: localip=$(ifconfig $TUN_ETH | grep Bcast | awk '{print $2}' | awk -F: '{print $2}')
33: echo "Please enter the destination IP for the tunnel: "
34: while :;
35: do 36: read IP_DEST_EXT37: echo "Are you sure $IP_DEST_EXT is a valid IP [Y]:"
38: read ANS_ME 39: ANS_ME=$(echo $ANS_ME | tr a-z A-Z)40: if [ "$ANS_ME" == "Y" ] ;then
41: break
42: else
43: echo "Please enter destination again:"
44: fi 45: done 46: echo "Please enter tunnel IP and Peer Address: "
47: while :;
48: do 49: echo "IP : "
50: read TUNNEL_IP_SRC51: echo "Peer : "
52: read TUNNEL_IP_DST53: echo "Peer subnet mask [ /16 , /24 ...]: "
54: read TUNNEL_IP_DST_MASK55: echo "Tunnel IP will be $TUNNEL_IP_SRC and its peer address will be $TUNNEL_IP_DST using subnet mask $TUNNEL_IP_DST_MASK"
56: echo "Please confirm [Y]:"
57: read ANS_ME_NOW 58: ANS_ME_NOW=$(echo $ANS_ME_NOW | tr a-z A-Z)59: if [ "$ANS_ME_NOW" == "Y" ] ;then
60: break
61: else
62: echo "Please enter again:"
63: fi 64: 65: done66: ip tu ad ipiptun mode ipip local $localip remote $IP_DEST_EXT ttl 64 dev $TUN_ETH
67: ip ad ad dev ipiptun $TUNNEL_IP_SRC peer $TUNNEL_IP_DST/$TUNNEL_IP_DST_MASK 68: ifconfig ipiptun up 69: } 70: 71: _DESTROY_ () { 72: ip add | grep ipiptun > /dev/null73: if [ $? -eq 0 ] ;then
74: ifconfig ipiptun down75: echo "Tunnel was removed"
76: else
77: echo "No Tunnel to remove"
78: fi 79: } 80: 81: lsmod | grep ipip > /dev/null82: if [ $? -eq 0 ] ;then
83: while :;
84: do85: echo "Please enter 1 to create or 2 for removing a tunnel"
86: read SELECTION87: if [ "$SELECTION" == "1" ] ; then
88: _CREATE_89: break
90: elif [ "$SELECTION" == "2" ] ; then
91: _DESTROY_92: break
93: fi 94: 95: done96: else
97: echo "ipip module is not loaded try to first load the ipip module and then run the tool again, Thank you!"
98: fiTuesday, September 07, 2010
eBgp-Multihop vs. ttl-security
Today I have answered one of the Cisco CCIE groupstudy questions on the relation between the two features.
To understand the relation first lets explore what each feature job and purpose in life:
eBgp-multihop – like in IGP the default ttl for packets is 1 and that is to ensure delivery only to the directly connected network node, but unlike IGP eBgp is often (in real networks) established via interface loopback and because packet generated / sourced from Interface loopback going out the router using its next hop interface that break the communication as 1-1 = 0 and 0 TTL mean packet can’t be delivered to destination, so
what to do?!
increase TTL (is the answer :-))
using the eBgp-multihop is like simply indicating what TTL should be set to the packet to ensure delivery to the desired network
ttl-security – so we now understand the eBgp affect packet going out of our system by manipulating its TTL,
How do I prevent neighbor coming 10 hops away from me?!
you set the ttl-security.
Now you will say, if you didn't want to be neighbor do not set him up on your side and that would be also ok, but lets say you have neighbor relation with 2 router and each is 3 hops away (normally) now one router experienced a link fail causing it to change route to reach you and now he is 5 hops away, and your policy is to maintain neighbor relation with no more then 3 hops away.
but again you would say, so set the eBgp-multihop to 3 (or 4 if using the loopback) and you would be again correct.
so why ttl-security, mainly it is to prevent DoS attack!
hope this helped in some way to understand the difference and each feature job in life.
Subscribe to:
Posts (Atom)