Sunday, 21 February 2016

Making the WebServer IPv6 Ready!

Gathering initial info:

This can be done by following the following steps:
As we are using Linode, the Linode server is by default IPv6 enabled, to check and confirm that punch in the command as follows:

# ip -6 addr show

It will come up with this result:

3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
      inet6 2001:DB8:2000:aff0::/32 scope global
        valid_lft forever preferred_lft forever
      inet6 ff32:20:2001:db8::/96 scope link
        valid_lft forever preferred_lft forever

The line highlighted in yellow confirms that our server is IPv6 enabled. (The scope global is our IPv6 address which is accessible from any other machine which is also IPv6 enabled and ready)

On the fly testing:

If we don’t get to see the IPv6 scope global line, we can always go to the Linode Remote Panel, note the IPv6 and IPv6GW and add them on the fly like this:

# ip -6 addr add public_ipv6_address/64 dev eth0

# ip -6 route add default via public_ipv6_gateway dev eth0

Making the IPv6 Configuration Persistent:

To make it IPv6 ready we need to just change two files:

1. Modify the /etc/sysconfig/network to look like this:

NETWORKING=yes
NETWORKING_IPV6=yes

2. Modify the /etc/syscofig/network-scripts/ifcfg-eth0 to look exactly like this: ( use your ip that you have noted by using the above statement )

DEVICE='eth0'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:ab:c4:1e:01
IPADDR=82.196.8.192
NETMASK=255.255.255.0
GATEWAY=82.196.8.1
NM_CONTROLLED='no'
IPV6INIT=yes
IPV6ADDR=2A03:B0C0:0000:1010:0000:0000:00A7:E001/64
IPV6_DEFAULTGW=2A03:B0C0:0000:1010:0000:0000:0000:0001
IPV6_AUTOCONF=no
DNS1=2001:4860:4860::8844
DNS2=2001:4860:4860::8888

Once this is all done, we need to disable the network manager, which can interfere in our network settings; this can be done as follows:

# sudo systemctl stop NetworkManager 

# sudo systemctl disable NetworkManager

Now enable the normal network service:

# sudo service network restart

Add Additional IP’s:

To add additional IP’s in linode one can request additional IPv6 addresses at any time by opening a support ticket.

To add it just modify the ifcfg-eth0 something like this:

IPV6INIT=yes
IPV6ADDR=primary_ipv6_address/64
IPV6_DEFAULTGW=ipv6_gateway
IPV6ADDR_SECONDARIES="second_ipv6_address/64 third_ipv6_address/64”
IPV6_AUTOCONF=no

To verify if our Server is now IPv6 ready and working, just issue the following command from the terminal:

# ping6 ipv6.google.com

If the reply is something like this:

PING ipv6.google.com(li-in-x8a.1e100.net) 56 data bytes
64 bytes from li-in-x8a.1e100.net: icmp_seq=1 ttl=42 time=150 ms
64 bytes from li-in-x8a.1e100.net: icmp_seq=2 ttl=42 time=150 ms
64 bytes from li-in-x8a.1e100.net: icmp_seq=3 ttl=42 time=150 ms
64 bytes from li-in-x8a.1e100.net: icmp_seq=4 ttl=42 time=150 ms

That means our Server is IPv6 enabled and ready and functional!

This is only the half of work done! Let’s go onward!

Making the Web Server IPv6 Ready:

To make the Web Server IPv6 ready i.e. serve our web content over IPv6, we need to follow the following steps:

Make a DNS entry:

We need to have the DNS record for IPv6 to resolve the IP. To add the record we put the IP into the AAAA record of the DNS entry.

Disabling the Centos 7 Firewall:

For our ease, we need to disable the default firewall, it is done as follows:

# systemctl mask firewalld
# systemctl stop firewalld

Enabling the Iptables service:

As we need to be serving our content on IPv6 as well as IPv4, therefore we will enable both the iptables service on our server, the steps are listed as follows:

# yum -y install iptables-services

# systemctl enable iptables
# systemctl enable ip6tables

Now, Finally let’s start the iptables services.

# systemctl start iptables
# systemctl start ip6tables

Open ports on Web Server:

In order to serve the content, we need to make our server start listening on port 80 & port 443 for Non-SSl and SSL connections respectively.

i. For IPv4:

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# iptables -A INPUT -p tcp --dport 443 -j ACCEPT

ii. For IPv6

# ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT

# ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

Verify the tables by: (make sure the correct rules are added)

# cat /etc/sysconfig/iptables (IPv4)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2624]
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT

# cat /etc/sysconfig/ip6tables (IPv6)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT

Now save the rules:

# service iptables save

# service ip6tables save

Verify that the server is listening:

i. For IPv4:

# nmap 82.196.0.141

Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-20 21:19 EST
Nmap scan report for 82.196.0.141
Host is up (0.000011s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

ii. For IPv6:

# nmap -6 2a03:b0c0:0:1010::102:4001

Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-20 21:19 EST
Nmap scan report for centos-512mb-ams2-01 (2a03:b0c0:0:1010::102:4001)
Host is up (0.000026s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Keep going!

Making Apache Ready:

There are only slight changes to make on Apache to make apache serve the content over IPv6 and IPv4 simultaneously, they are listed as follows:

Go to httpd.conf and find the line like this:

Listen 80

And modify it to something like this:

Listen *:80

Then move onto file ssl.conf, and find the line something like this:

Listen 443 https

And change it to:

Listen *:443 https

Then go the virtual host file and make sure the vhost header is like this for 80 and 443 respectively:

<VirtualHost *:80>

<VirtualHost *:443>

Now give the server a restart:

# systemctl restart httpd

That’s It! Job Done! Now onwards for verification.

Verifying our IPv6 service:

Although there are multiple ways of verifying that our content is being served correctly over IPv6 or not, I’m listing few of them:

The ping method:

From any other IPv6 enabled server to this:

# yum -y install bind-utils

# host -t AAAA www.nasheikh.com

The response would be something like this:

www.nasheikh.com is an alias for nasheikh.com.
nasheikh.com has IPv6 address 2a03:b0c0:0:1010::102:4001

Now ping it:

# ping6 nasheikh.com

The response:

PING nasheikh.com(centos-512mb-ams2-01) 56 data bytes
64 bytes from centos-512mb-ams2-01: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from centos-512mb-ams2-01: icmp_seq=2 ttl=64 time=0.130 ms
64 bytes from centos-512mb-ams2-01: icmp_seq=3 ttl=64 time=0.090 ms

Now verified that domain is properly getting resolved, there is one more method of verifying that whether the content is getting properly served or not. This listed method is more comprehensive way of IPv6 testing.

Open the link:

http://ipv6-test.com/validate.php

Enter the domain name and click on validate and it will take you the next page, and show you the result of IPv6 support. If all done correctly you will be shown the result like ipv6 ready!

Congratulation! Your website is now IPv6!! Yay!...... This marks the end of tutorial as well!