vm-net [firewall(iptables), nat, dhcp(isc), dns(bind/named) and ipv6 tunnel(6to4)]


  • Firewall (either a direct iptables script or using ShoreWall) + portscan blocker(?)
  • Firewall / traffic shaper (network traffic prioroty for httpd, gaming & voip traffic)
  • NAT (allowing multiple computers on one internet connection, using the second public IP address I have available)
  • DHCP (handing out IP addresses, in the future with a LDAP backend
  • NAMED/BIND/DNS (dns server for locally hosted domains)
  • NAMED/BIND/DNS (banner blocker, redirects outgoing requests for doubleclick to localhost etc.)
  • IPv6 connectivity (possibly even handing out IPv6 addresses to clients with RADVD(?) )
  • Traffic shaping
  • Traffic counting (MRTG, rrdtool?)


nano /etc/network/interfaces

from 'man interfaces': address and netmask are required, gateway optional [I need it however]

IPv6 connectivity

apt-get install iputils(?)
ping6 -I eth0 <ipv6_address>

http://www.shorewall.net/6to4.htm#id2672474 Dec 3 16:04:53 vm-mgr kernel: [ 375.333415] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=b6:5d:03:e9:5b:10:00:01:71:0b:85:9c:08:00 SRC= DST=Inet2_IP LEN=124 TOS=0x00 PREC=0x00 TTL=249 ID=0 DF PROTO=41

To ping all hosts in your lan, ping the whole link-local area http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x811.html:

ping6 -I eth0 ff02::1

/* ipv6 DONE IPv6: sgiebels@toad:~]$ ping6 www.pcprobleemloos.nl AAAA record

http://www.deepspace6.net/projects/initscripts-ipv6.html#id2851702 #6to4 relay tunnel router

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html Using "ip" and a dedicated tunnel device ipv4=""; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "` 2002:9163:f628::1[root@localhost network-scripts]# nano ../network

/sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local /sbin/ip link set dev tun6to4 up[root@localhost network- /sbin/ip -6 addr add 2002:9163:f628::1/16 dev tun6to4 /sbin/ip -6 route add 2000::/3 via :: dev tun6to4 metric 1 ping6 ipv6.google.com

[root@localhost sgiebels]# ifup eth0 Global IPv6 forwarding is enabled in configuration, but not currently enabled in kernel Please restart network with '/sbin/service network restart'

Example–Using nsloo


Iptables firewall

Note: be careful when adjusting firewall settings on a remote computer, make sure you don't lock yourself out!


# iptables -F
# chmod 700 rc.firewall
# nano rc.firewall
# update-rc.d rc.firewall defaults 19
    update-rc.d: using dependency based boot sequencing
    insserv: warning: script 'rc.firewall' missing LSB tags and overrides

http://www.linuxtopia.org/Linux_Firewall_iptables/x5091.html http://www.google.nl/search?hl=nl&q=rc.firewall+simple+iptables&aq=f&aqi=&aql=&oq=&gs_rfai=

cd /etc/init.d http://electron.mit.edu/~gsteele/firewall/ wget http://electron.mit.edu/~gsteele/firewall/firewall script is broken, edit INTERFACES (br0 or eth0) testen firewall vm-mgr chmod ugo+x /etc/init.d/firewall update-rc.d firewall start 40 S . stop 89 0 6 .

cp firewall /lxc/vm-template/rootfs/etc/init.d/firewall

> ipt_LOG                 3570  6 
> xt_tcpudp               1743  59 
> iptable_raw             1471  0 
> xt_comment               599  33 
> iptable_nat             3551  1 
> nf_nat                 10568  1 iptable_nat
> ipt_REJECT              1517  4 
> ipt_addrtype            1345  3 
> xt_multiport            1775  4 
> xt_MARK                  617  1 
> iptable_mangle          2325  1 
> nf_conntrack_ipv4       7597  38 iptable_nat,nf_nat
> nf_defrag_ipv4           779  1 nf_conntrack_ipv4
> xt_conntrack            1955  35 
> nf_conntrack           38075  4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_conntrack
> iptable_filter          1790  1 
> ip_tables               7690  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
> x_tables                8327  10 ipt_LOG,xt_tcpudp,xt_comment,iptable_nat,ipt_REJECT,ipt_addrtype,xt_multiport,xt_MARK,xt_conntrack,ip_tables

Shorewall firewall

http://www.shorewall.net/ It uses iptables as back-end


apt-get install shorewall shorewall6 make

will also install: bc libdb4.7 libgdbm3 libio-socket-inet6-perl libsocket6-perl perl perl-modules

Enable shorewall startup upon boot:

cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

Do the same for '/etc/default/shorewall6'

root@vm-net:/etc/default# /etc/init.d/shorewall start
Starting "Shorewall firewall": not done (check /var/log/shorewall-init.log).
root@vm-net:/etc/default# tail /var/log/shorewall-init.log 
Processing /etc/shorewall/shorewall.conf...
Dec  2 01:06:49 Processing /etc/shorewall/shorewall.conf...
Dec  2 01:06:49    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
root@vm-net:/etc/default# /etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log).
root@vm-net:/etc/default# iptables -L
/etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log).
root@vm-net:/etc/default# tail /var/log/shorewall6-init.log 
01:08:03 Shorewall configuration compiled to /var/lib/shorewall6/.start
   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable: Firewall state not changed
Dec 02 01:08:03   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable
Dec 02 01:08:03   ERROR:Shorewall6 restart failed:Firewall state not changed
[: 167: -lt: unexpected operator
   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable: Firewall state not changed
Dec 02 01:08:03   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable
Dec 02 01:08:03   ERROR:Shorewall6 restart failed:Firewall state not changed
root@vm-net:/etc/default# apt-get install ipset
root@vm-net:/etc/default# which ipset
/etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": done.

I'm used to using 'ifconfig' but I know should read more about 'ip'. 'ip' is a program included in the iproute2 package. ip replaces ifconfig and route in modern Linux systems.

shorewall kernel state match support error

root@vm-net:/etc/shorewall# make
  Shorewall isn't started
  ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

If you run 'iptables -L' on the vm-mgr, and retry this, it works ok. Still have to check if this happens more often, or if this problem returns after a reboot. It has something to do with the modules (loaded on the vm-mgr). Will have to debug with 'lsmod' before and after the 'iptables -L' action.


/* iptables -t nat -I PREROUTING -s ! -p tcp –dport 80 -j DNAT –to iptables -t nat -A PREROUTING -p tcp -d –dport 80 -j DNAT –to-destination */ http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables


apt-get install dnsutils bind9


Changing the logging file location

The last configuration I would like to demonstrate today is changing the default logging file. First, I'll change the logging line in /usr/local/etc/dhcpd.conf so that it looks like this: # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; Next, I'll create an empty log file called dhcpd.log: # touch /var/log/dhcpd.log Then, I'll create an entry for this logfile in /etc/syslog.conf by adding this line: local7.* /var/log/dhcpd.log

Installed packages

apt-get install whois
apt-get install dnsutils

dnsutils containes 'whois'?

LXC containers and netdiag, tcpflow, trafshow

These doesn't work, see pcap_findalldevs.txt

problem with pcap in lxc containers ('pcap_findalldevs')

eth0 / eth1 ?Possible cause: eth1 exists on vmmanager, not in vm-net??

root@vm-net:~# tcpflow tcpflow[1073]: SIOCGIFFLAGS: eth1: No such device root@vm-net:~# trafshow pcap_findalldevs: SIOCGIFFLAGS: eth1: No such device

Haven't tested wireshark, likely same issue.

apt-get install netdiag trafshow


Free Newsserver on IPv6 at NewsXS! NewsXS, a great news service provider offers free access to it's newsserver and newgroups, as a stimulus to getting more people using IPv6 (instead of IPv4, which is very quickly nearing its end of life)


Add 'contrib' and 'non-free' to the apt sources:

nano /etc/apt/sources.list
deb http://ftp.nl.debian.org/debian squeeze main 


deb http://ftp.nl.debian.org/debian squeeze main contrib non-free

Install the software:

root@vm-net:/usr/src# apt-get install sabnzbdplus
The following NEW packages will be installed:
  file javascript-common libexpat1 libjs-excanvas libjs-mochikit libmagic1 libsqlite3-0 libtidy-0.99-0 mime-support par2 python python-chardet
  python-cheetah python-configobj python-feedparser python-libxml2 python-minimal python-openssl python-support python-utidylib python-yenc python2.5
  python2.5-minimal python2.6 python2.6-minimal sabnzbdplus sabnzbdplus-theme-classic sabnzbdplus-theme-plush sabnzbdplus-theme-smpl unrar unzip

https://addons.mozilla.org/en-US/firefox/addon/7617/?src=external-sabfront host = #localhost

Edit sabnzbd.ini to allow other hosts than 'localhost' to access


follow the instructions

Configuring the firewall

SABnzbd+ 0.5.4 uses port 8080 for http traffic, and 9090 for https.

Open both ports in the firewall

SABnzbd+ plugin for Google Chrome

Check out sabconnect++, the best plugin for Chrome & SabNZBD

Test connection to an IPv6 newsserver

root@vm-net:/etc/shorewall6# telnet -6 reader.ipv6.xsnews.nl 119
Trying 2001:67c:174:101::2...
Connected to reader.ipv6.xsnews.nl.
Escape character is '^]'.
201 reader.ipv6.xsnews.nl NNRP Service Ready (no posting).

Press 'Ctrl-]' q <return> to exit telnet.


root@vm-mgr:/var/log# modprobe ip6_tables root@vm-mgr:/var/log#

ping6 2a00:1450:8001::93

http://www.shorewall.net/MyNetwork.html#params /etc/shorewall/notrack #SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT(S) PORT(S) GROUP net:! - 41 dmz udp dmz udp loc udp loc udp $FW udp $FW udp $FW udp This file omits the 6to4 traffic originating from 6to4 relays as well as broadcast traffic (which Netfilter doesn't handle).

na bind9: + copy configs http://www.matja.com/media/lessfsNotes.html http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00211.html dig hotelpart.com mx

IPv6 diagnostics

'AAAA' dns records are used for IPv6 addresses ('A' dns records for 'old style' IPv4) lookup ipv6 host nslookup dig


 1. On the command line, type the following command.
    % nslookup
    The default server name and address display, followed by the nslookup command angle bracket prompt.
 2. To see information about a particular host, type the following commands at the angle bracket prompt.
    >set q=any
 3. To see only AAAA records, type the following command at the angle bracket prompt.
    >set q=AAAA

—- Please leave feedback or questions at the main page.

vm-net.txt · Last modified: 2017/01/19 00:50 (external edit)

Page Tools