• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Help me find a suitable distro compatible with HE

Started by freebul, May 03, 2012, 04:02:32 AM

Previous topic - Next topic

freebul

I registered an account and create a tunnel from Hurricane Electric, for that I hear only good reviews.
So far everything is great, but I have a problem that I can not solve.
For routing platform I use Freesco 0.44, which however is an old kernel 2.0.40 and not supports IPv6.
I am looking for a modern alternative to the Freesco, which supports mandatory Full Cone NAT for IPv4, which is very important to me.
Thanks in advance.

kriteknetworks

Any linux distribution should do. The nat functionality and configuration is a function of the kernel, and userland utils which are installed by default on all linux distributions.

jtcloe

Just for fun, I threw up a Fedora 16 box up and had a working tunnel in less than 2 minutes (not counting time to load fedora).

Are you sure you need "Full Cone NAT", Its surprising how much that term is mis-understood, and even when the "NAT" part is setup correctly its also an incredible security hole the way most people end up setting it up, as its typically done for convenience, leaving security holes wide open.

I've seen more boxes hacked into because someone insisted that a vendor (or on their own) setup FCnat, all under the assumption that nat=security or nat=firewall, IT DOESN'T, and FCnat is the biggest hole of them all.

freebul

Of course that NAT is not firewalling.
It is only Network Address Translation.
If my ISP gives me a /24 subnet I will not use any NAT only routing and firewall, but the IP address is just only one.

jtcloe

Quote from: freebul on May 03, 2012, 03:21:45 PM
Of course that NAT is not firewalling.
It is only Network Address Translation.
If my ISP gives me a /24 subnet I will not use any NAT only routing and firewall, but the IP address is just only one.
Full Cone NAT doesn't work with just one IP.

freebul

Full Cone NAT works for me without any problem, but as I wrote with kernel 2.0.40.
I want to clarify the following:
Full Cone NAT allows any external host to use the existing state table entry to access the internal host, kind of like a temporary port forward.
1:1 NAT is a mode of NAT that maps one internal address to one external address.

broquea

Can you just not download a more recent kernel (2.4 or 2.6) and compile it on whatever this distro is? Last I heard you can compile things on Linux, like the kernel :)

jtcloe

Full Cone NAT = 1:1 NAT.

You haven't said what the application is or why people need to get to you from the outside, but it sounds like with some carefully crafted nat rules in your firewall there shouldn't be a problem, and probably more secure in the long run.

As far as the IPv6 side, it really is as simple as creating a ifcfg file for the tunnel, adding an v6 IP to the inside interface, (I have mine directly on a real IP for the "outside"), turn on IPv6 forwarding, setup radvd, and write any firewall rules you want, and you have a working IPv6 router/firewall.

freebul

Thanks for answers, I will continue to seek a solution to my problem elsewhere.
And remember:  Full Cone NAT is not 1:1 NAT


kriteknetworks

I gave you a solution. Any linux distribution will do. The rest is an exercise of configurationon your part.