GoTinker » Linux

Sep 27 2011

Securing IPv6 with IPSec, protecting yourself in an end-to-end world!

Category: Linux,Networking — Mike Lovell @ 8:52 pm

With IPv6 there is no more NAT. All your machines have end-to-end connections to their destination. It’s taken for granted the implied security that NAT provides, by preventing incoming connections. There’s also no longer a need to use a VPN, if I want to connect to my work PC I merely use it’s publicly available IPv6 address.

So what we need is a good (default deny) firewall policy to start with, but then we have the problem of encryption without using a VPN. This is where IPSec comes in, providing end-to-end encryption at the packet level. That way we can then happily use normally unencrypted protocols securely. We can also harden already encrypted protocols (SSH, RDP).

First thing we need to do is install “racoon” and “ipsec-tools” on both machines we wish to securely communicate between, in my case my Lubuntu 11.10 laptop and a Ubuntu 11.04 Server VPS. These two machines have the following IPv6 addresses (anonymized):

Laptop    2604:xxxx:xxx::500
VPS       2607:xxxx:xxx::f49

To install the relevant packages on Debian based systems:

#sudo apt-get install ipsec-tools racoon

Then I need to edit “/etc/ipsec-tools.conf” to tell each machine I expect IPSec to be used to/from a certain IPv6 address, on my laptop it looks like this:

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd ::0/0               2607:xxxx:xxx::f49 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 2607:xxxx:xxx::f49  ::0/0              any -P in  ipsec esp/transport//require ah/transport//require;

So any IP on my laptop (::0/0) to my VPS outgoing, then my VPS to any IP on my laptop (::0/0) incoming. Then same on the VPS but switching the IP:

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd ::0/0               2604:xxxx:xxx::500 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 2604:xxxx:xxx::500  ::0/0              any -P in  ipsec esp/transport//require ah/transport//require;

Then we need to configure the level of encryption and key exchange we use on both machines. These settings must match exactly or key exchange and encryption will fail. These settings are defined in “/etc/racoon/racoon.conf”. The man pages have information on the algorithms you can use, in my case I’ve gone for “uber paranoid” settings like this:

# Author: 	Mike Lovell
# Modified:	2011-08-16

path pre_shared_key "/home/mikelovell/.ipsec/config/keys.txt";

remote anonymous
{
	exchange_mode main;
	lifetime time 12 hour;

	proposal
	{
		encryption_algorithm   aes;
		hash_algorithm         sha512;
		authentication_method  pre_shared_key;
		dh_group               modp4096;
	}
}

sainfo anonymous
{
	pfs_group                      modp4096;
	lifetime time                  12 hour;
	encryption_algorithm           rijndael, aes;
	authentication_algorithm       hmac_sha512;
	compression_algorithm          deflate;
}

I store my IPSec keys inside “/home”, which is encrypted (mounted on boot) on my machines – You’re probably best keeping your keys in “/etc/racoon/keys.txt”. In here you need to put the destination IP along with a password to use to communicate – To generate the password I always use “apg -a 1 -m 128″, here’s what the file might look like on the laptop:

2607:xxxx:xxx::f49   not_a_good_password!

And on the VPS:

2604:xxxx:xxx::500   not_a_good_password!

All that’s left to do now is restart the IPSec service and racoon, make sure you have another way into your machine (not via IPv6) before you do this – If something doesn’t work you don’t want to be locked out!

#sudo /etc/init.d/setkey restart
#sudo /etc/init.d/racoon restart

Once you’ve done that on both machines as soon as you establish a new connection (anything, try a ping6) you should see IPSec successfully negotiate in your syslog:

initiate new phase 1 negotiation: 2604:xxxx:xxx::500[500]<=>2607:xxxx:xxx::f49[500]
begin Identity Protection mode.
received Vendor ID: DPD
ISAKMP-SA established 2604:xxxx:xxx::500[500]-2607:xxxx:xxx::f49[500] spi:d____________f
initiate new phase 2 negotiation: 2604:xxxx:xxx::500[500]<=>2607:xxxx:xxx::f49[500]
IPsec-SA established: AH/Transport 2604:xxxx:xxx::500[500]->2607:xxxx:xxx::f49[500] spi=11___2(0x6____)
IPsec-SA established: ESP/Transport 2604:xxxx:xxx::500[500]->2607:xxxx:xxx::f49[500] spi=1___1(0xc____)
IPsec-SA established: AH/Transport 2604:xxxx:xxx::500[500]->2607:xxxx:xxx::f49[500] spi=1___5(0xb____)
IPsec-SA established: ESP/Transport 2604:xxxx:xxx::500[500]->2607:xxxx:xxx::f49[500] spi=96___3(0x5____)

Viola! You care confirm if you like by sniffing the network traffic via “wireshark”.

Comments (0)

Sep 26 2011

IPv6 without native support from your provider, via SiXS

Category: Linux,Networking — Mike Lovell @ 9:33 pm

You’ll need a Linux machine or device supporting AICCU and ip6tables to act as IPv6 router. It doesn’t have to be the same machine/device as IPv4 router. If you’re using DD-WRT on your IPv4 router then there’s a tutorial covering this here.

First you need to pop over to www.sixxs.net and sign up for a account (it’s free). Once that’s approved you’ll need to request a tunnel.

For safeties sake, as some connectivity providers block other protocols, select “Dynamic NAT-traversing IPv4 Endpoint using AYIYA” as your endpoint.

Then you’ll need to select a PoP that’s close to you (to keep latency low) and give a reason why you want an IPv6 tunnel (use your imagination!)

After that’s approved you’ll need to request a subnet

Now we just need to setup our IPv6 router (in my case a Debian VM). First lets setup AICCU which will configure a tunnel device for IPv6 with SixXS. During the ncurses installer, you will be asked for your SixXS username and password:

# apt-get install aiccu

An “ifconfig” should now show the tunnel to be present:

sixxs     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fe80::xxxx:xxx:xx:2/64 Scope:Link
          inet6 addr: 2604:xxxx:xxx:xx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:1989470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1187540 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:1401336999 (1.3 GiB)  TX bytes:306453776 (292.2 MiB)

Then we need to enable IPv6 forwarding (as root):

#echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

To make this persistent you’ll need to add/ammend this rule in “/etc/sysctl.conf”:

net.ipv6.conf.default.forwarding=1

Lets now setup an IPv6 address from subnet we’ve been given to act as our IPv6 gateway, in my case my subnet is (anonymized):

2604:xxxx:xxx::/48

So in “/etc/network/interfaces” I put the following:

iface eth0 inet6 static
	address	2604:xxxx:xxx::1
	netmask	48

Now whenever the network comes up I want to add some routes in to make sure my IPv6 traffic is directed correctly, to do this I created a script called “/etc/network/if-up.d/ipv6routes” and marked it as executable:

#!/bin/sh

ip -6 route add 2604:8800:112::1/64 dev eth0
ip -6 route add 2604:8800:112::/48 dev lo

Then we just need to setup the ip6tables rules to forward the traffic correctly, in my case:

ip6tables -P FORWARD DROP

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

ip6tables -A FORWARD -i eth0 -s 2604:xxxx:xxx::/48 -j ACCEPT
ip6tables -A FORWARD -i sixxs -o eth0 -d 2604:xxxx:xxx::/48 -j ACCEPT

To make these persistent you’ll need to set them to be loaded when the network comes up, what I usually do is this:

ip6tables-save > /etc/iptables-ipv6.conf

Then create a script called “/etc/network/if-up.d/iptables” and mark it as executable with the following inside it:

#!/bin/sh

ip6tables-restore < /etc/iptables-ipv6.conf

Now we assign an IPv6 address to a different machine in the network and set the gateway as the address we setup previously (2604:xxxx:xxx::1), here’s what the “ifconfig” looks like:

wlan0     Link encap:Ethernet  HWaddr 00:23:14:53:56:3c
          inet addr:192.168.x.xxx  Bcast:192.168.x.xxx  Mask:255.255.x.x
          inet6 addr: 2604:xxxx:xxx::500/64 Scope:Global
          inet6 addr: fe80::xxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1280  Metric:1
          RX packets:403511 errors:0 dropped:0 overruns:0 frame:0
          TX packets:366141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:195242106 (195.2 MB)  TX bytes:60409846 (60.4 MB)

And hopefully, it all works!

# traceroute6 -n www.sixxs.net
traceroute to nginx.sixxs.net (2001:1af8:4050::2) from 2604:xxxx:xxx::500, 30 hops max, 24 byte
 1  2604:xxxx:xxx::1  2.871 ms  2.892 ms  9.606 ms
 2  2604:xxxx:xxx:31::1  137.17 ms  150.576 ms  168.446 ms
 3  2620:0:6b0:a::1  204.796 ms  245.039 ms  329.039 ms
 4  2001:1900:2100::171  326.815 ms  256.593 ms  385.289 ms
   ...                         ...

Comments (0)

Sep 25 2011

My base “iptables” / “ip6tables” script

Category: Linux,Networking — Mike Lovell @ 7:16 pm

I thought I’d post my base iptables/ip6tables script. This is what I dump on every machine I install, then tweak from there.

It also creates a script to load the rules up (on Debian based systems) when the network starts (if-up.d)

Download:
firewall.tar.gz

Comments (0)

Jan 26 2011

Extracting music from flash videos using mencoder and mplayer

Category: Linux,Sound,Video Processing — Mike Lovell @ 2:30 pm

If you’ve ever downloaded music videos from a website (for example via “youtube-dl”) you may have been in the position of wanting to extract the music in “MP3″ format from the “FLV” (flash video) file, here’s how you can do this:

#mencoder source.flv -ovc frameno -oac mp3lame -lameopts br=128 -noskip -o resampled.avi
#mplayer -dumpaudio -dumpfile final.mp3 resampled.avi

Both “mencoder” and “mplayer” can be used on both Windows and Linux (in the latest version of Ubuntu both are available via the package manager).

Comments (0)

Jan 26 2011

X11 Forwarding of Pidgin with Sound using PulseAudio

Category: Linux,Pidgin,PulseAudio,SSH — Mike Lovell @ 1:41 pm

With the aid of PulseAudio it’s possible to remotely host applications such as Pidgin and still have sound enabled (something that’s very handy with an IM client for notification purposes).

First, on the client and server, you’ll need to make sure PulseAudio is installed (it should be there by default in Ubuntu 10.10 if that’s your client), for the client you can install all you need like this:

#apt-get install pulseaudio pulseaudio-utils paprefs

And for the server:

#apt-get install pulseaudio pulseaudio-utils

Then on the client allow network access to the local sound devices (you can open the preferences by typing “papref” at console or going to “System | Preferences | PulseAudio Preferences”):

(Security Note: The port being used (TCP/4713) is blocked by the firewall on this machine to anything but LocalHost, you should do the same)

Then, when we connect to the server, we want to enable X11 forwarding and setup a reverse tunnel to allow us to send sounds to the client, we do this like so:

#ssh -X R 4713:127.0.0.1:4713

Start up Pidgin:

#pidgin &

Then change the sound preferences to use “paplay” to play the sounds down the reverse tunnel:

And there we go, job done.

I like to have Pidgin running on a virtual machine at home to prevent any monitoring of my IM communications when at work, on-site or using an untrusted network.

Comments (0)