Tag Archives: IPv6

Configuring an IPv6 Address in GCP

Posted on by cbroccoli
Comments off

Once I had a working Instance Group I was able to then able to begin configuring the load balancer.  IPv6 load balancing is described in this article.  Essentially they are configuring a reverse proxy which terminates the IPv6 connection and builds a new IPv4 connection to the backend server.

The first step is to select a load balancer and in this case I selected an HTTP(S) load balancer.  Once selected you need to configure the Backend, the Path Rules/URL Map and the Frontend as shown in the following diagram:

Load Balancer Configuration

The Back End maps the load balancer to the instance group.  I chose to disable autoscaling and limit the total number of hosts to 1.  If you have a stateless server you can allow the load balancer to autoscale the service as needed based on load.  Since my LAMP server has a local MySQL database this would not work.

For the Path Rules I added the name and pointed it to the main page for WordPress.  You need to enter a name for the server since GCP does not take IPv6 IP addresses (IPv4 works fine).  Without this rule the load balancer will not know where to route the incoming http packet.

For the Front End I added both IPv4 and IPv6 addresses for testing purposes, in case I needed IPv4 access. 

Once that was complete I could begin testing.  Luckily for me my ISP has already rolled out IPv6 to my house so I already had IPv6 access. For the client configuration, I added a new static entry in my hosts file to allow me to use a name to access the server. I only configured the IPv6 address and to make sure IPv4 was not used at any point in the connection, I removed IPv4 from my network adapter. Once this was done, I was able to use my web browser and access the WordPress host.

Adapter Congiruation

In Wireshark you can see the entire IPv6 connection which shows clearly that the configuration works.

Wireshark Output
Categories: GCP, IPv6, Load Balancer | Tags: ,

IPv6 in GCP

Posted on by cbroccoli
Comments off

I recently attended training on Google Cloud Platform to become a Google Certified Professional Cloud Architect.  During the training I learned that GCP does not support IPv6 natively on Compute Engine instances.  I have been using IPv6 at home for years and I know that Google has been supporting IPv6 on its search engine for the same amount of time, so the lack of support was disappointing. The solution for IPv6 on GCP is to implement a public facing load balancer which will expose an IPv6 address to the Internet and NAT that address to the internal RFC1918 private IPv4 address.  Although this is a valid short term option when migrating to IPv6, one of the great benefits of implementing IPv6 is to eradicate NAT from the world, so hopefully this situation is only temporary and in the future native end to end IPv6 will be supported on GCP.  In the mean time, since we need to live with this solution, I thought it would be worth while to test it and see how it works.

So that I was not just doing a basic protocol test, I decided to use WordPress as the target application.  This would allow for more robust testing of the solution and had the advantage of allowing me to practice what I had learned in training on something more than just a basic Apache server.  Another advantage is that this test would allow me to evaluate if I should move this Blog to GCP and make it IPv6 capable, since at the moment it is not.

With this in mind, I will publish a series of posts covering the steps I am following to get WordPress running on IPv6.  Not all of the steps  are directly related to IPv6, but are necessary when setting up a load balanced service in GCP.  Along the way I will share experiences and tips which might prove helpful for future installations.

In the first step, I will setup a reusable Compute Engine image with a LAMP stack and WordPress.   Using the WordPress Image I will then setup the load balancer with an IPv6 address. Finally, I will test using a native IPv6 host.  The diagram below shows an overview of the design:

Categories: GCP, IPv6, WordPress | Tags: , ,

IPTables

Posted on by cbroccoli
No Comments

One of the interesting features of using CentOS was that IPTables are installed by default.  IPTables is a host based statefull firewall which can be useful for securing a small number of simple servers.  As the number of servers grows or the complexity of the rulebase increases, it would make sense to begin using a host based firewall solution which supports central management and logging.

IPTables rule files are stored under /etc/sysconfig and by default, it sends all logs as standard syslog to /var/log/messages.  The /etc/sysconfig directory contains two files:

  • iptables contains rules for IPv4 services
  • ip6tables contains the rules for IPv6 services

IPtables are managed using a command line syntax to insert, append or delete lines into the respective files.  The command syntax is discussed  in a number of posts, so I won’t go into that here.   The default rules allow everything out of the server and only lets ssh in.   Since the command line is cumbersome, I chose to set up my initial rulebase by replacing the default file with the new file.  Of course, until I was sure that the new rulebase worked, I kept a backup copy of the original rulebase just in case.  Future changes can then be made through the command line.

For a standard web server, I used the following two base files.  The configurations create a new chain called RH-Firewall-1-INPUT into which both the INPUT and FORWARD chains are redirected.  This rulebase also logs all dropped packets to the default file /var/log/messages with the prefix “Firewall-log: “. This makes it easy to view dropped packets by grepping for “Firewall” when viewing the log file.

iptables:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable 
  -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 
  -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 
  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 
  -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG --log-prefix "Firewall-Log: "
-A RH-Firewall-1-INPUT -j DROP
COMMIT

ip6tables:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 
  -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 
  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 
  -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG --log-prefix "Firewall-Log: "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

The following commands are useful for managing and monitoring IPTable activity:

Viewing the rules with their respective line numbers (in case you want to delete or insert lines) –

# iptables --line-numbers -n -L

Viewing the rules with number of hits and bytes per rule (to see if the rule is actually working) –

# iptables -L RH-Firewall-1-INPUT -v -n -x

Stopping, starting and restarting –

# service iptables start/stop/restart

After making changes with the command line, do not forget to save the changes with the command before restarting the service –

# service iptables save

Some interesting notes:

  • PUTTY works with both IPv4 and IPv6 to ssh to a client.
  • Stopping, starting and restarting iptables has no impact on established sessions.  So if you are logged into a server via SSH, then you shouldn’t lose your session by restarting iptables.  Just in case there is an issue or if you are worried that you might lock yourself out of the server, you can use a simple shell script to stop iptables if the connection is lost (see below).
   #!/bin/bash
   #
   # Perform 6, 10 second loops to delay for one minute
   # Stop the script if everything goes as planned within 
   # the 60 seconds.
   #
   x=0
   y=60
   echo "Start"
   while [ $x -lt $y ];
    do
        echo $x
        x=$(($x + 10))
        sleep 10s
   done
   service iptables stop
   echo "All Done"
  • If at any time you edit the rules using the GUI, it will reset the entire file to the original default format removing all changes you made.

References:

http://wiki.centos.org/HowTos/OS_Protection

Categories: CentOS, IPTables, IPv6 | Tags: , , ,