2017
01.08

This one is For when your ISP/Datacentre decides to give you a /64 (or whatever) on your uplink and relies on NDP to route rather than just handing you a routed IPv6 block.

That’s a right pain in the backside if you want to use it on the other side of your (Virtual?) firewall or for a VPN

It may not be the best way to do it, but it worked for me, as usual following the below is at your own risk yada yada.

The container I used is centos 7, this is made possible by ndppd ( https://github.com/DanielAdolfsson/ndppd )

This assumes the device you want to route a IPv6 subnet to is already connected to the Network and can communicate with the machine running the NDP proxy

 

  • Create a VM/Container for the router, in my case I used 2 network interfaces eth0, which was bridged to a private network on the inside of a virtual firewall (It was opnsense not that that really matters) this is because I wanted the machine to have IPv4 but it didn’t need a routable IP, Nat was fine (It’s an IPv6 router not V4, the V4 was just for management updates.etc).  The second interface is then bridged to the uplink.
  • Install a basic Linux system, I used Centos7 and the steps posted here assume this but there isn’t really a reason it can’t be another distro as long as the libs are available.
  • Assign an IPv6 address on the external interface
  • Install development tools ( yum groupinstall “Development tools)
  • Install git ( yum install git )
  • Install some dependencies ( yum install glib2-devel libnl3-devel)
  • clone the ndppd repo ( git glone https://github.com/DanielAdolfsson/ndppd.git)
  • change into the ndppd dir ( cd ndppd)
  • compile and install ndppd (make && make install)
  • copy the sample config (cp ndppd.conf-dist /etc/ndppd.conf)

 

Now you need to edit the sample config ( edit /etc/ndppd.conf in your favorite text editor)

find the line that starts proxy eth0 {

and change it to proxy XXXX {   (XXXX is the name of your interface that needs to answer the RA’s, the one connected to the upstream ISP/Provider)

then find the line that states  rule 1111:: { and replace 1111:: with the subnet you want to proxy for instance 2001:xxxx:xxxx:xxxx/72 (Use a subnet calculator to see what you can divide your ISP allocated block into)

If your device you want to route to doesn’t send RA’s (my VPN server doesn’t) then you need to change auto to static

Here’s my config for an example.

# route-ttl <integer> (NEW)
# This tells ‘ndppd’ how often to reload the route file /proc/net/ipv6_route.
# Default value is ‘30000’ (30 seconds).

route-ttl 30000

# proxy <interface>
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules (see below).
# <interface> is required. You may have several ‘proxy’ sections.

proxy net1 {

# router <yes|no|true|false>
# This option turns on or off the router flag for Neighbor Advertisement
# messages. Default value is ‘true’.

router yes

# timeout <integer>
# Controls how long to wait for a Neighbor Advertisment message before
# invalidating the entry, in milliseconds. Default value is ‘500’.

timeout 500

# ttl <integer>
# Controls how long a valid or invalid entry remains in the cache, in
# milliseconds. Default value is ‘30000’ (30 seconds).

ttl 30000

# rule <ip>[/<mask>]
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.

rule 2001:xxxx:xxxx:xx:xxxx::/72 {
# Only one of ‘static’, ‘auto’ and ‘interface’ may be specified. Please
# read ‘ndppd.conf’ manpage for details about the methods below.

# ‘auto’ should work in most cases.

# static (NEW)
# ‘ndppd’ will immediately answer any Neighbor Solicitation Messages
# (if they match the IP rule).

# iface <interface>
# ‘ndppd’ will forward the Neighbor Solicitation Message through the
# specified interface – and only respond if a matching Neighbor
# Advertisement Message is received.

# auto (NEW)
# Same as above, but instead of manually specifying the outgoing
# interface, ‘ndppd’ will check for a matching route in /proc/net/ipv6_route.

static

# Note that before version 0.2.2 of ‘ndppd’, if you didn’t choose a
# method, it defaulted to ‘static’. For compatibility reasons we choose
# to keep this behavior – for now (it may be removed in a future version).
}
}

Next we’ll probably want some firewall rules (It’s more to protect the admin interface than anything, this example allows access from private IP’s in 2 rather large ranges)

I call a script called /etc/firewall.script

/usr/sbin/iptables -F
/usr/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 10.0.0.0/8 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/16 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
#ipv6

/usr/sbin/ip6tables -F
/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -i eth0 -j DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT

 

Now we need to enable ipv6 forwarding and add the routes, as a quick and dirty hack I used /etc/rc.local the sleep command was because it was firing to quick and the route wasn’t getting added.

 

bash /etc/firewall.script
/usr/bin/sleep 15
/usr/sbin/ip -6 route add 2001:xxx:xxxx:xx:xxxx::/72 via 2001:xxxx:xxxx:yy::2
sysctl -w net.ipv6.conf.all.forwarding=1
/usr/local/sbin/ndppd -d

On the other device that you want to route to add this machines IPv6 as the default gateway and it routes (hopefully)

 

2016
09.19

Draytek Vigornic 132

So managed to get my hands on a VigorNIC132 which is a draytek VDSL modem/router on a PCI-E card, here’s what I know about it thus far.

  • It’s ethernet chip appears to be a realtek and shows as

Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

during lspci

I believe it’s a Rev15 but I’m not 100% sure as I have 3 other NIC’s in that machine which happen to have the same chipset which show up as Rev2/Rev15

  • It shows up as a r8169 in dmesg
  • It runs DHCP and a webserver out of the box, the QSG that came with mine says it’s 192.168.1.1 but It was actually on 192.168.2.1 which caused me some “Fun” trying to set it up as I’d set a static ip in the 192.168.1.xxx range orginally.
  • The early firmware’s seem somewhat buggy, for instance I had to upgrade to 3.7.9.2 to enable bridge mode on VDSL2, I suspect this breaks it’s routing support as per the following entry in the changelog
*******************************************************************************

    Release Notes for VigorNIC 132
    Firmware Version    : 3.7.9.2 (formal release)
    Release Date        : 13th September 2016
    Firmware Build      : 9th August 2016
    Applicable Models   : VigorNIC 132
    ADSL Firmware       : VDSL: 576D17_A ADSL: 572801_A
    Locale              : UK & Ireland Only

********************************************************************************
For more UK product details & specification, please visit www.draytek.co.uk

[New Features]
1.	WAN1 now supports PPPoE Pass-Through and Bridge Mode 

[Improvements] 
1.	Resolved an issue with DDNS configuration

[Known Issues]
1.	VigorNIC 132 always operates in bridge mode. Support for NAT / 
routing features in the web interface will be added in next firmware release.

[Notes]
- See http://www.draytek.co.uk/support/product-knowledgebase for 
VigorNIC 132 setup examples.
  • It’s an Infineon DSL chip, seems to sync a couple Mbit/s slower on the Broadcom Dslam my line is connected to compared to the Huawei (Broadcom) modem I was using previsouly.
  • A web/telnet based CLI is available, not really poked around it much other than the commands to get the DSL stats (vdsl status , vdsl vendorid cpe , vdsl vendorid co vdsl showbins)

So it seems like it will be an OK piece of kit, although at the moment unless you want to use it in bridge mode you might want to wait until they sort the firmware out.

 

Update:

3.9.7.3 is available at http://www.draytek.com/en/download/firmware/vigornic-132-series/ and fixes the router/bridge mode problem (I think)

 

2016
08.19

IPv6 proxmox OVH

More to remind me than anything else…

With the help of https://forum.ovh.co.uk/showthread.php?5844-IPv6-with-Proxy-ARP

Since OVH do not yet support IPv6 on Vrack (GRR!) you have to use the Servers /64 but given the horrible way they allocate it (Sorry guys but it really *IS* horrible)

This assumes your server already had working IPv6, if proxmox 4.x was installed by the OVH build system it probably does, It also assumes your virtual machines aren’t directly on the WAN interface and Using their virutal mac/failover IP system (which if you use Vrack they probably aren’t)

Step1:  Change the subnetmask/prefix length on the WAN (Public) interface to /128 (It will still work because the way OVH do routing)

Step2 add an IP to the INTERNAL bridge (Assuming your VMs are behind a firewall/on an internal bridge) e.g xxxx:xxxx:xxxx:xxxx::2 /64

Step3: configure Ip’s on the VM’s e.g xxxx:xxxx:xxxx:xxxx::3 set their gateway to the IP you set on the internal bridge (E.g ::2)

Step4: add the following to /etc/rc.local

 

echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip -6 neigh add proxy xxxx:xxxx:xxx:xxxx::3 dev vmbr0

Step5: Check the VM now has IPv6 connectivty
Step6: Enable a Firewall and configure approprately

Step7: Repeat 3-6 for each addational VM (with a new IPv6 obvisously), also you only need the neigh add proxy line for the addational Ip’s since you’ve already enabled forwarding in the first 2 lines.

 

2016
08.09

If you run bitlocker and have it set to prompt for a password and find that the system powers of before you can enter the password then do the following.

From an elevated (admin) command prompt

 

bcdedit /set {bootmgr} bootshutdowndisabled 1

Should prevent it from happening again… although may need to be re-applied after windows 10 installs a new build.

Thanks to stateofloveandtrust for posting the solution on the Technet forum.  https://social.technet.microsoft.com/Forums/windows/en-US/932630c2-ae3d-4cbd-8d79-a492806363ea/windows-81-bitlocker-automatic-shutdown-during-password-prompt?forum=w8itproinstall

 

 

2016
07.22

Going Static.

Most of the Site content is now pre-generated by wordpress and served as a static site.

Comments are now done via disqus as I didn’t really want to leave wordpress itself reachable…

I did try Hugo but I prefer WP.

 

Edit: Removed the RSS links given that it seems it’s broken on the static version of the site anyway.

2016
07.03

Mobile Layout

Looks like some desktop browsers were loading the mobile layout.
I’ve removed that layout/plugin as I didn’t really like it anwyay.

2016
06.08

https://www.openrightsgroup.org/ – Consider joining or making a donation to give these people the funding they need to fight the absolutely bat shit crazy ‪#‎ipbill‬

Usually I don’t tend to go for these sort of things but the #ipbill is one of the biggest threats to the internet age, it proposes to undermine privacy, weaken security and will lead to vast databases (No doubt poorly secured ones at that) of information that will be actively targeted for theft by criminal organizations.

If anyone’s every played the Ubisoft game Watchdogs then quite frankly that’s pretty much where the UK government is trying to send us in terms of mass surveillance.

To be clear here I’m not against targeted surveillance of individuals that the security services have reasonable suspicion that they are going to commit some horrendous act, what I do however object to is the bulk interception of everyone’s data en-mass just in-case there might be something interesting in there. It’s also debatable as to if this is actually effective for the purposes it’s being proposed for or if it would just cause the security services to drown in a sea of data.

2016
04.19

The problem with docker is it opens up ports in the firewall to the world, that’s fine if you want the app running in the container available to world + dog but in my case I didn’t, also this is on a hosted box elsewhere that sadly isn’t infront of a dedicated firewall, infant a dedicated firewall would probably cost more than the entire server itself as it was a very cheap server.

 

Because it’s running on a very low end box I couldn’t even run a KVM hypervisor and run a firewall infront of the docker host that way (Which is my preferred option if running on a dedi with no hardware f/w infront).

I could have disabled dockers tampering with iptables but it’s handy to have it do the NAT stuff automatically, instead this is a horrible hack that will inject a new forward rule above the docker rules after restart.

This assumes a few things here, that you are using SystemD, FirewallD is disabled the internet uplink is eth0.

You will also need the iptables-persistent package installed

 

I don’t claim this to be a secure setup, but it should be a bit more secure than the default I’d be wary of trusting it for anything with access to sensitive data,  ideally you’d want an external firewall infront of the Docker host if you plan to allow docker to have it’s way with the machines own firewall.

Below is a slightly modified version of my /etc/iptables/rules.v4 , Currently I’m only allowing access from certain IP’s although I expect to expand this later, it was a basic ruleset for testing

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i docker0 -j ACCEPT

-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp –icmp-type echo-request -j ACCEPT

-A INPUT -s <My IP 1> -j ACCEPT

-A INPUT -s <My IP 2> -j ACCEPT

-N DOCKER-SEC

-A DOCKER-SEC -s <My IP 1>-j RETURN

-A DOCKER-SEC -m conntrack –ctstate RELATED,ESTABLISHED -j RETURN

-A DOCKER-SEC -s <MY IP 2> -j RETURN

-A DOCKER-SEC -i eth0 -j DROP

-A DOCKER-SEC -j RETURN

COMMIT

What this does is setup an IPtables ruleset that allow my IP’s access to the server and drops everything else, it also creates a DOCKER-SEC chain that filters traffic from the internet into the docker containers…

Then I created the following script in /lib/systemd/system/docker-firewall-mod.service

[Unit]

Description=fix for docker opening the firewall to world and dog

[Service]

ExecStart=/scripts/fix-firewall.sh &

[Install]

after=docker.service

The content of /scripts/fixfirewall.sh – hey I did say it was a horrible hackjob

#!/bin/bash

# A Post docker start script to inject a new table to stop docker mess up the firewall, I’d disable dockers firewall mod support but I kinda want to to make the nat rules

# Ideally this should be done during the iptables laod but then this rule ends up below the docker created rules and everything is wired open, arrg.

# Begin injection

sleep 30

/sbin/iptables -I FORWARD 1 -o docker0 -j DOCKER-SEC

P.s I’ve actually cleaned up those comments in the description’s for the service/comments in the script the original wasn’t quite so polite about it 😉

Also note that there will be a brief window before this gets injected that containers will be exposed to the world.

Also using

iptables-restore < /etc/iptables/rules.v4

to add rules will remove the docker stuff from the firewall which seems to require a restart to docker to fix.

2016
04.01

pam_tally2

Pam_tally2 is an account locking module for unix that will lock out an account for to many logins, you can use programs like fail2ban/csf to block the IP if it’s a remote service and it’s supported but there are cases where you may just wish to lock out that user instead (E.g if you know the IP is shared, or part of a multi-layered approach)

 

http://ubuntuforums.org/showthread.php?t=2295409&page=2 — The post by Bembot is mostly correct other than the typo it’s pam_tally2.so not pal_tally2

I also adjusted the timeout and got rid of magicroot.

/etc/pam.d/common-auth

auth required pam_tally2.so deny=3 unlock_time=xxxx

/etc/pam.d/common-account

account required pam_tally2.so deny=3 unlock_time=xxxx

Replace 3 with the desired threshold and xxxx with the time in seconds

2015
12.10

Internet connection records

Hell if I know if anyone is going to bother reading this but I felt it was something I Needed to say.

 

TLDR: Mass surveillance in the form of logging everyone’s internet activity seems like a very expensive very bad idea that’s not likely to be as useful as our government wants us to believe.

 

Lately a lot of Governments seem to have become obsessed with mass surveillance, well honestly they probably always were but in light of the Snowden leaks it’s just now more people know about it.

The latest craziness from the UK government is the idea of getting ISPs to log every internet users internet usage their main argument is it will help them find missing children, catch paedophiles and stop terrorist attacks (Also I just goggled the word “terrorist” because I can’t spell bet that set alarm bells off at GCHQ).  The thing is lets presume for a moment that government get their way and every “connection” is logged, I’m not actually sure how helpful this would be.

There are also several problems with this proposal some technical some not, for a start there seems to be a misconception that the internet works like the telephone system it does not, in a traditional circuit switched voice system (So lets ignore VOIP for the moment) when you make a call a “path” though the network is created, essentially a timeslot on a transmission system is allocated to that call and will remain yours until you finish the call.  Therefore one phone call, one conversation one record, Easy right?

I’m going to attempt to explain the difference between a traditional phonecall and the internet here, if there are any network engineers reading this that have a better understanding of the protocols involved than I do please DO feel free to correct me on any mistakes I’ve made.

The internet works on packets, everything you send/receive is broken down into little packets of information (usually no bigger than 1500bytes or about 12000 bits which in turn is 12 Kilobits assuming I haven’t failed at math) each one of these little packets has to contain information about the source and destination protocol .etc as well as the actual data transferred.

There’s also 2 main protocols in use over the internet, TCP and UDP.  TCP is a stateful protocol this essentially means there is handshake and session established and then traffic to do with that session. However sessions will be created/torn down as needed,  UDP however is stateless which means there is no such session, it’s mostly just fire and forget which tends to be used in situations where you need to get the data out quickly and don’t care if some gets lost along the way, arrives in the wrong order.etc (Games and VOIP for example use this).

Right you may wonder why I went to the trouble of trying at least to explain that, well it comes down to this, remember I said earlier that a packet tended to be maximum of around 1500 Bytes or 12 Kilobits well as you’ve probably already worked out 12 Kilobits isn’t a lot and since we’re not able to send more than 1500bytes in a single packet over the internet (there are some exceptions but I won’t go into this) there’s only one way to send more than 12 Kilobits in a second is if we send more than one packet in a second.

So for example if I’m downloading something at 70Mbit/s (The speed of a good FTTC line) I’m, probably pushing at minimum around 6000 packets per second just on that one download alone and that’s ignoring all the other traffic I’m sending/receiving.

Then there’s gaming where I’ll be sending lots of smaller packets, 10K packets per second is quite possible to hit with a few gamers sharing an internet connection.

The point I’m trying to make is one connection can generate many 10’s of thousands of packets per second easily, carrier routers have special ASIC (Application specific integrated circuits) that are really good at looking up the destination of these packets and sending them on their way, that’s actually fairly easy.

However in order to do what the government want the ISP is now going to have to examine each one of these packets and log the source/destination at the very least, except the ISP isn’t dealing with just the thousands of packets per second coming from MY connection they’re dealing with thousands, if not millions of customers each sending potentially a large number of packets per second equating into billions of packets every second that they’d have to monitor and log.  That would have to be one hell of a database, costing many tens of millions of pounds consuming vast amounts of computing power.

Assuming however the ISP’s managed to overcome that problem and the government do get their wish, everyone’s connection records are stored.  Great you have records of almost every internet connection in the country, but all that tells you is what was done on that connection not necessarily who did it.  On top of that there’s then the problem of trying to separate what the user is doing from what the computers themselves are doing, there will be billions of Internet connection records created that are nothing more than machines communicating with machines such as your computer checking to see if there are any updates to install, facebook/whatsapp.etc on your phone checking in to see if there are any new messages.  That dodgy site you visited was that really you or is your machine infected with malware, did someone hack your Wi-Fi.etc.

Then there are things like DDOS attacks where computers (usually machines infected with malware) are used to send floods of junk data this would also create internet connection records so even more for the monitoring equipment to handle.

There is the potential to collect VAST amounts of data on everyone but the real question is if they do manage this are they actually going to gleam anything useful from it or will it just be a case of looking for the needle in the worlds biggest haystack.  Short of having massively powerful computers searching it constantly for patterns the only other time it’s going to possibly be useful is if you know who your target is, at which point does knowing they were on Facebook.etc actually really tell you much that’s actually of any use I ask?.

The final point I’d like to raise is should such a database exist containing everyone’s internet connection records, data on every interaction you’ve ever made on the internet, well it’s not only the government that will be trying to get their hands on that juicy info.  If those databases ever leaked then it would be a goldmine for criminals, suddenly they have far more insight into their victims and their habits.  Been looking at travel websites lately great they know that sometime soon you’re going to be away for an extended period.