Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: freebul on May 03, 2012, 04:02:32 AM

Title: Help me find a suitable distro compatible with HE
Post by: freebul on May 03, 2012, 04:02:32 AM
I registered an account and create a tunnel from Hurricane Electric, for that I hear only good reviews.
So far everything is great, but I have a problem that I can not solve.
For routing platform I use Freesco 0.44, which however is an old kernel 2.0.40 and not supports IPv6.
I am looking for a modern alternative to the Freesco, which supports mandatory Full Cone NAT for IPv4, which is very important to me.
Thanks in advance.
Title: Re: Help me find a suitable distro compatible with HE
Post by: kriteknetworks on May 03, 2012, 06:09:28 AM
Any linux distribution should do. The nat functionality and configuration is a function of the kernel, and userland utils which are installed by default on all linux distributions.
Title: Re: Help me find a suitable distro compatible with HE
Post by: jtcloe on May 03, 2012, 02:40:04 PM
Just for fun, I threw up a Fedora 16 box up and had a working tunnel in less than 2 minutes (not counting time to load fedora).

Are you sure you need "Full Cone NAT", Its surprising how much that term is mis-understood, and even when the "NAT" part is setup correctly its also an incredible security hole the way most people end up setting it up, as its typically done for convenience, leaving security holes wide open.

I've seen more boxes hacked into because someone insisted that a vendor (or on their own) setup FCnat, all under the assumption that nat=security or nat=firewall, IT DOESN'T, and FCnat is the biggest hole of them all.
Title: Re: Help me find a suitable distro compatible with HE
Post by: freebul on May 03, 2012, 03:21:45 PM
Of course that NAT is not firewalling.
It is only Network Address Translation.
If my ISP gives me a /24 subnet I will not use any NAT only routing and firewall, but the IP address is just only one.
Title: Re: Help me find a suitable distro compatible with HE
Post by: jtcloe on May 03, 2012, 03:44:29 PM
Of course that NAT is not firewalling.
It is only Network Address Translation.
If my ISP gives me a /24 subnet I will not use any NAT only routing and firewall, but the IP address is just only one.
Full Cone NAT doesn't work with just one IP.
Title: Re: Help me find a suitable distro compatible with HE
Post by: freebul on May 03, 2012, 04:52:58 PM
Full Cone NAT works for me without any problem, but as I wrote with kernel 2.0.40.
I want to clarify the following:
Full Cone NAT allows any external host to use the existing state table entry to access the internal host, kind of like a temporary port forward.
1:1 NAT is a mode of NAT that maps one internal address to one external address.
Title: Re: Help me find a suitable distro compatible with HE
Post by: broquea on May 03, 2012, 04:55:39 PM
Can you just not download a more recent kernel (2.4 or 2.6) and compile it on whatever this distro is? Last I heard you can compile things on Linux, like the kernel :)
Title: Re: Help me find a suitable distro compatible with HE
Post by: jtcloe on May 03, 2012, 05:06:42 PM
Full Cone NAT = 1:1 NAT.

You haven't said what the application is or why people need to get to you from the outside, but it sounds like with some carefully crafted nat rules in your firewall there shouldn't be a problem, and probably more secure in the long run.

As far as the IPv6 side, it really is as simple as creating a ifcfg file for the tunnel, adding an v6 IP to the inside interface, (I have mine directly on a real IP for the "outside"), turn on IPv6 forwarding, setup radvd, and write any firewall rules you want, and you have a working IPv6 router/firewall.
Title: Re: Help me find a suitable distro compatible with HE
Post by: freebul on May 04, 2012, 07:06:41 AM
Thanks for answers, I will continue to seek a solution to my problem elsewhere.
And remember:  Full Cone NAT is not 1:1 NAT
Title: Re: Help me find a suitable distro compatible with HE
Post by: jtcloe on May 04, 2012, 07:12:45 AM
http://en.wikipedia.org/wiki/Network_address_translation
Title: Re: Help me find a suitable distro compatible with HE
Post by: kriteknetworks on May 04, 2012, 11:36:50 AM
I gave you a solution. Any linux distribution will do. The rest is an exercise of configurationon your part.