Tor & disabling IPv6 in Linux

23 06 2012

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb lucid main

– Get the key

gpg –keyserver –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is & configure socks4a proxy

vi /etc/privoxy/config

forward-socks4a / .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy
– Check that you connect over tor

– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0*               LISTEN      3569/privoxy
tcp        0      0*               LISTEN      3562/tor

root@bt:~# curl -s

root@bt:~# proxychains curl -s
|S-chain|-<>-<><>-<><>-OK Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p


IPv6 Static Address on Ubuntu

27 04 2012
So – I have blogged about how to enable IPv6 on your firewall & setup your tunnel, and how to manually add addresses to an ubuntu server, but what about the server you are sticking on the end of the tunnel permanently – you want it up every reboot.
I have an Ubuntu box sitting on 2001:470:489e::100. This hosts & also my mail host
Most modern distro’s will have IPv6 enabled out of the box & it will do its best to grab an address. I didnt want autoconfiguration to hand any old address to it (even with SLAAC using the MAC address) to this host – so I could properly setup inbound & outbound FW rules.
You can turn it off by entering the following in /etc/sysctl.conf & reboot
– Disable the autoconf / SLAAC capability for all interfaces


– Ignore the RA messages from your router


If you just want to test it out – or dont want to reboot your machine

sudo sysctl -w net.ipv6.conf.eth0.autoconf=0
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=0

–BEFORE with autoconfigured Global IPv6 address–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:  Bcast:  Mask:
          inet6 addr: 2001:470:489e:0:250:56ff:fea1:70d1/64 Scope:Global
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          RX packets:56 errors:0 dropped:12 overruns:0 frame:0
          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6219 (6.2 KB)  TX bytes:7140 (7.1 KB)
–AFTER only link-local address remains–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          RX packets:254 errors:0 dropped:12 overruns:0 frame:0
          TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24646 (24.6 KB)  TX bytes:33280 (33.2 KB)
Now – its simply another couple of lines in your /etc/network/interfaces file & a quick network restart
iface eth0 inet6 static
        address 2001:470:489e::100
        netmask 64
        gateway 2001:470:489e::1
and your shiny new STATIC ASSIGNED IPv6 address is active
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          inet6 addr: 2001:470:489e::100/64 Scope:Global
          RX packets:806 errors:0 dropped:116 overruns:0 frame:0
          TX packets:716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71814 (71.8 KB)  TX bytes:110482 (110.4 KB)
Apache & Postfix should already listen on any IPv6 addresses – so simply restart the services.

FortiGate IPv6 using

22 04 2012
My previous IPv6 network was configured with Astaro – recently I have switched vendor to Fortinet (partly troubleshooting, partly cause I could). Using one of their FortiGate FWs – its been “fun” getting all the functions working that I had on the Astaro – one that was a bit more complex was the IPv6 config. It was pretty much point & click GUI driven on the Astaro, its a lot more CLI driven on the FortiGate.
Im using PPPoE without a static IP – so when my IPv4 ISP connection changes address, it will take out my IPv6 Tunnel – I will try to work out how this needs to be fixed later.


First step is to enable IPv6 in the GUI – most of the tunnel config is going to be done on the CLI, but with the GUI enabled, you can at least manage the addresses / policies easily.
config system global
  set gui-ipv6 enable


Configure up the tunnel – if you are using (, there is a shortcut you can take.
View your Tunnel Details on their admin page, make sure you set the correct “Client IPv4 Address” to match your current PPoE or other connection. Then click on the tab called “Example Configurations” which allows you to simply select your OS & it populates the changes needed with the correct IP addresses. In this case, FortiGate 4.x
config system sit-tunnel
    edit “HE”
        set destination
        set ip6 2001:470:66:288::2/64
        set source
config router static6
    edit 1
        set device “HE”
Once you have pasted that into the CLI on the FG, check the tunnel comes up & finish the config

Ping from the Fortigate to the tunnel broker

Fortigate # execute ping6 2001:470:66:288::1
PING 2001:470:66:288::1(2001:470:66:288::1) 56 data bytes
64 bytes from 2001:470:66:288::1: icmp_seq=1 ttl=64 time=159 ms
64 bytes from 2001:470:66:288::1: icmp_seq=2 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=3 ttl=64 time=157 ms
64 bytes from 2001:470:66:288::1: icmp_seq=4 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=5 ttl=64 time=158 ms— 2001:470:66:288::1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4042ms
rtt min/avg/max/mdev = 157.156/158.424/159.138/0.802 msFortigate #


Configure IPv6 on one of your FW interfaces (In this case, my port3(DMZ) interface)
config system interface
     edit port3
            config ipv6
                set ip6-address 2001:470:489e::1/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2001:470:489e::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                            set preferred-life-time 3600
                set ip6-send-adv enable
**NOTE “set ip6-send-adv enable” enables the router auto advertisement on that segment – so any hosts configured with stateless autoconfiguration (most late OS’s) will pickup an address.


Create a FW policy to allow ping traffic to & from your network for testing
config firewall address6
    edit “DMZ_v6”
        set ip6 2001:470:489e::/64
config firewall policy6
    edit 1
        set srcintf port3
        set dstintf HE
            set srcaddr “DMZ_v6”
            set dstaddr “all”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable
    edit 2
        set srcintf HE
        set dstintf port3
            set srcaddr “all”
            set dstaddr “DMZ_v6”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable


Ping from another host or one of the many test websites


To the Firewall DMZ Interface
PING 2001:470:489e::1: 56 data bytes
64 bytes from 2001:470:489e::1: icmp_seq=0. time=339. ms
64 bytes from 2001:470:489e::1: icmp_seq=1. time=336. ms
64 bytes from 2001:470:489e::1: icmp_seq=2. time=335. ms
64 bytes from 2001:470:489e::1: icmp_seq=3. time=334. ms
64 bytes from 2001:470:489e::1: icmp_seq=4. time=334. ms
—-2001:470:489e::1 PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 334./336./339./2.2


To another host on my DMZ (
PING 56 data bytes
64 bytes from (2001:470:489e::100): icmp_seq=0. time=354. ms
64 bytes from (2001:470:489e::100): icmp_seq=1. time=332. ms
64 bytes from (2001:470:489e::100): icmp_seq=2. time=333. ms
64 bytes from (2001:470:489e::100): icmp_seq=3. time=334. ms
64 bytes from (2001:470:489e::100): icmp_seq=4. time=334. ms
— PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 332./337./354./9.5


From a host on my DMZ out to IPv6 Internet site
Pinging [2001:4860:4001:801::1010] with 32 bytes of data:
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=159ms
Ping statistics for 2001:4860:4001:801::1010:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 159ms, Maximum = 160ms, Average = 159ms

Configure some FW policies to allow your internal hosts to browse the IPv6 internet (HTTP/HTTPS/PING6/DNS). You can now use the GUI on the FortiGate to configure your new IPv6 FW rules, just remember to use the “IPv6 Policy” menu, not the standard “Policy” page – as that is your IPv4 traffic.


A note on IPv6 DNS & the FortiGate
After some mucking around & frustration, it was clear that the FortiGate was not advertising DNS to stateless autoconfiguration clients. This meant that I had to configure the IPv6 DNS server manually – hardly a great solution (you can use the one from HE).
I found another couple of config items that seems to fix the issue (I added these to my config above)
    set ip6-manage-flag enable
    set ip6-other-flag enable
Documentation from Fortinet on this is not great, so I dont know the full impact of these, but it seems to do what I want, as long as your IPv4 DNS server is the Fortigate.
As you can see, I only have an IPv4 nameserver (The FortiGate), but both IPv4 & IPv6 DNS entries are happily being resolved.
ash@public:~$ dig aaaa
; <<>> DiG 9.7.3 <<>> aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25610
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;               IN      AAAA
;; ANSWER SECTION:        13160   IN      CNAME      273     IN      AAAA    2001:4860:4001:801::1013
;; Query time: 7 msec
;; WHEN: Sun Apr 22 14:59:40 2012
;; MSG SIZE  rcvd: 82
ash@public:~$ cat /etc/resolv.conf
Once you are done, visit somewhere like to check your workstation is using IPv6


Resources Used:
and the usual

IPv6 rebooted – web & smtp server

14 03 2012

Now that I had a new IPv6 allocation from – it was time to get the server re-addressed & reachable from the outside world.

Apache was already configured to listen on all IPv4 & IPv6 addresses so all I needed to do was change the address, test connectivity & restart apache

sudo ip addr add 2001:470:489e::100/64 dev eth0
sudo route –inet6 add default gateway 2001:470:489e::1
ping6 2001:470:489e::1

Dont forget to update your nameserver

sudo vi /etc/resolv.conf

Restart apache & postfix services

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
sudo /etc/init.d/postfix stop
sudo /etc/init.d/postfix start

Update your DNS record with the new address & test connection.
You can either test from another IPv6 connected host (like a VPS)

ash@vertex:~$ dig aaaa +short
ash@vertex:~$ curl

Or use one of the many publicly available test servers – like

Its as simple as that. Now my server was once again reachable via IPv6 – all this effort to get back to where I was.

Next time – I cover the DNS forward & reverse fun as well as why I needed to transfer my domain from free DNS hosting to the free DNS hosting provided by Hurricane Electric @

IPv6 rebooted – IPv6 SAGE Certification Project (part1)

13 03 2012

IPv6 Certification Badge for blackundertone

Well – its official – I am an IPv6 consumer. I have a public facing IPv6 web & smtp server – and I have passed the requirements of the Hurricane Electric ( IPv6 certification program to the SAGE level –

I already had IPv6 through Freenet6 – as I detailed in my previous IPv6 post here so I began the IPv6 certification program, and ran through the first few basic levels.

  • I can reach the site with IPv6- Check
  • can reach my IPv6 website – Check
  • can send me email (had to stand up postfix for this one) – Check

This got me to the Administrator level – anyone with IPv6 connectivity can easily get here – simply have a reachable IPv6 website & mail server.

This is where the fun came in. To get to the next level (Professional) – I needed a working reverse DNS entry for my mailserver. Now while this sounds simple – freenet6 doesnt appear to provide an easy way to configure reverse DNS entries for the IPv6 range they provide you – bummer.

My Astaro box provides built in support for several tunnel brokers gogo6 Freenet6, Hurricane Electric & SixXS

I had exhausted my energy trying to setup reverse DNS with Freenet6, so off to Hurricane Electric I went – seemed a logical choice considering I was doing their certification anyway. Signup was simple & within minutes I had a new IPv6 allocation. They initially allocate a single /64 – but once you have enabled your connection – you can request a /48 – which of course I did.

So – now that I have a new allocation, here is how I configured it on my network.

In Astro: Interfaces & Routing -> IPv6 (Click Enable) then from the Tunnel Broker tab, simply enter your username & password.

Minutes later, the /64 range on your account page should appear in the global tab.

A couple of tests later & I confirmed I could ping IPv6 addresses from my Astaro box (example here using the nameserver address)

I decided to use the inital /64 I was allocated as the range for my Internal hosts, and then break up the /48 into subnets for other zones.

By far the easiest way to use IPv6 is let the “Stateless Auto Configuration” work its magic. It doesnt require DHCP, allows hosts to automatically find the router & get an address – pretty much works as it says on the box.

Simply add an IPv6 address to the FW interface you want to run IPv6 on, then advertise the subnet out.

Suddenly your internal hosts will be getting IPv6 addresses & will be EXTERNALLY REACHABLE <— This is important. Make sure you setup your firewall rules, host protection etc etc. I will not cover this step, but you need to ensure you understand that as soon as your box has an IPv6 address – it is publically routable from the outside world.

Repeat the addition of an IPv6 address (from another /64 subnet – broken up out of your /48 you requested from to the DMZ interface(s). I am not enabling the “Stateless Auto Configuration” on my DMZ segments, I am just manually assigning addresses to the couple of boxes in there.

Right – that covers the move to Hurricane Electric & how to re-address the internal & DMZ segments.

Next steps are re-addressing my public web & smtp server, updating the DNS forward & reverse zone entries – and what is needed to complete the rest of the certification.

IPv6 Adventures – Part 1

31 01 2012

So – I decided it was finally time to finish implementing & document my IPv6 config – mainly so I remember how I did it, but also to help others on their IPv6 journey to the interwebs

High Level:

– Get a IPv6 subnet (duh) – This will depend on your scenario, several ISP’s offer native IPv6 (Internode) – mine does not (Telstra Bigpond).
– Configure a router / firewall / host with IPv6 address from your subnet
– Configure an IPv6 DNS address on that device to resolve AAAA records
– Bask in the IPv6ness of the interwebs – it looks eerily like the IPv4ness of the interwebs.

My Journey:

– I was already running the awesome Astaro for my border FW & home – which has great IPv6 support built in.
– I signed up for a subnet with Freenet6 / gogonet –


Ok, before we move on with turning the IPv6 up – you need to plan out a couple of things.

– Your IPv6 address is PUBLIC – it is reachable from the outside world, consider the consequences & firewall appropriately, also turn off NAT for IPv6 if your FW supports it – it will be a PITA when testing with your web browser & getting a different IPv6 address than you expect.

– IPv6 Subnetting – depending on the provider, you will be allocated something like a /56 subnet (4722366482869645213696 host IP’s — SERIOUSLY)

I broke my /56 up into /64 subnets for each zone (INSIDE / DMZ1 / DMZ2 / DARKNET) – still giving me 256 subnets containing 18446744073709551616 host addresses each …. I dont think im going to run out of addresses any time soon.

I could have broken em up into /96 subnets, giving me 1099511627776 subnets with 4294967296 (4 billion) hosts in each …. but really, when we are talking numbers like this, its just academic – use whatever fits your network design. I figured that im not going to ever need 256 subnets or more, so I just broke it up there, and /64 is a nice subnet mask boundry.

So what does this actually look like ?

2406:A000:F006:A400::/56 – My allocated IPv6 subnet from my tunnel broker

You can get some good info about your subnet using tools like

IP address: 2406:a000:f006:a400:0000:0000:0000:0000
type: GLOBAL-UNICASTnetwork2406:a000:f006:a400::
Prefix length: 56
Prefix address: ffff:ffff:ffff:ff00:0000:0000:0000:0000
address range start: 2406:a000:f006:a400:0000:0000:0000:0000
address range end: 2406:a000:f006:a4ff:ffff:ffff:ffff:ffff
total IP addresses: 4722366482869645213696

As I mentioned above, I carved out 4x /64 subnets from this.

You can do in offline, but I cheated & used this IPv6 subnet calc –

Here we go – nice & neat /64 subnets – im using 4 from the possible 256.


ffff:ffff:ffff:ffff:0000:0000:0000:0000 – /64 Mask

Now that we have our subnets planned out, we can continue on to implementation

Next Time ….

Disable Windows 7 IPv6 random temporary addresses

4 08 2011

One of the added security features with IPv6 addressing is “Temporary address interface identifiers”

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.

*NOTE: Default behaviour of Windows XP & Server 2003 does not use the randomization*

What this means from an administration perspective is that after every reboot, the IPv6 address that is presented to the network changes ….. which makes things like DNS / FW rules etc a nightmare to manage in a corporate / enterprise scenario where you really need to be able to have a stable addressing scheme.

I have a /52 IPv6 subnet through a tunnel broker. My border firewall terminates the tunnel & advertises the subnet on the inside interface for autoconfiguration (without having to configure DHCP)

So, lets break it down.

I get a /52 subnet, which is advertised to my internal machines.


In normal configuration, by default in Windows 7 – it generates a randomized Link-local address (not based on the MAC)

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
Link-local IPv6 Address . . . . . : fe80::d95:67db:fba2:7dad%11(Preferred)

Using stateless autoconfiguration I get an IPv6 address from my FW, based on the Link-local address

IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:d95:67db:fba2:7dad(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

However, Windows isnt done yet, it also assigns a Temporary IPv6 address – which is used when accessing network resources. This Temporary address is only kept for a set period, and changes when the machine reboots – and here is the problem. How can I configure a firewall rule for this host to reach an external resource ?

Here is the result of several reboots:

Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a5cb:b012:16f0:6fa9
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:ec65:b6ca:abd6:1349
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:752b:87c:f84:a4d6
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:1031:46fd:cfd7:d88c
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:5883:7ef2:9c64:6eab
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a400:251a:59:1cd6:bf0f

You can disable this & just use the interface based EUI-64 address by running the following commands.

Bring up a command prompt in administrator mode (Start -> All Programs -> Accessories -> Right click on Command Prompt, run as Administrator)

Then run these commands (should get OK response)

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Restart your machine

Your machine should now get a stable IPv6 address based on the MAC address. You can now use this MAC address for DNS entries, FW rules etc & it’s access will remain consistent across reboots.

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:20c:29ff:fe88:9f2a(Preferred)
Link-local IPv6 Address . . . . . : fe80::20c:29ff:fe88:9f2a%10(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

A note on the addressing – In this addressing mode, the 64-bit interface identifier is derived from its 48-bit MAC address. A MAC address 00:1D:BA:06:37:64 is turned into a 64-bit EUI-64 by inserting FF:FE in the middle: 00:1D:BA:FF:FE:06:37:64. As I “only” have a /52 assigned to me the whole MAC is not used, but the address is based on the last 5 octets.