2017年8月11日更新:最新中文教程
参考:http://forums.smallnetbuilder.com/showthread.php?t=9185
It took me a bit to get this going so i thought i would share. When you are done you will have IPv6 in your home for all your devices.
High level instructions
1. sign up for a (free!) tunnel account @ http://tunnelbroker.net/
2. change your DDNS settings in asuswrt to reset your v4 IP if it changes
3. Setup a ipv6 6in4 tunnel
4. put an ip6tables firewall script on
5. run the test @ http://test-ipv6.com/ and enjoy!
OK, some details.
I assume you can all do #1 without trouble.
For #2, On your asuswrt interface, go to WAN/DDNS. Select the 'www.tunnelbroker.net' provider. In the 'Host Name' put the tunnel ID your tunnel has. This is a ~5 digit number, and appears on your 'Tunnel Details' page on the tunnelbroker.net website after you have logged in. In the "User Name or Email Address" put your user-id which is a really long alphanumeric string for User ID that you will see if you click on "Main Page" (just above account info) on the tunnelbroker.net site. Then enter your password. Once this is done, the DDNS client on the router will update HE each time your IP changes.
For #3, select 'IPV6' on the asuswrt interface. Select 'Tunnel 6in4' for connection type. Enter the Server IPv4 Address from your HE tunnel details page. Enter the Client IPv6 address (without the mask... this should end in ::2). Select 64 for ipv6 prefix len. Select 1480 for Tunnel MTU. Select 255 for Tunnel TTL. In the IPv6 lan settings, take the value from the 'Routed /64' on your tunnel details page, and enter it as LAN ipv6 prefix. Do not put the mask, but end in :: (e.g. X:X:X:X:. Enter 64 for the prefix len. In the IPv6 DNS resolvers, put 2001:470:20::2, 2001:4860:4860::8888, and 2001:4860:4860::8844. Now select 'Enable Router Advertisement'.
@ this stage you should have ipv6 connectivity, you can check that here: http://test-ipv6.com/, or run 'ifconfig' on your linux machine, or ipconfig on your windows machine. These should have gotten an ipv6 from the router via router advertisement. If not, debug until you do.
For #4, you are going to want to do some firewalling I think (If you are happy with all your interior machines open on the internet, skip). Go to the administration/System tab, enable JFFS. Now create a file called /jffs/scripts/firewall-start [i did this via SSH] based on the attachment to this thread. You need to change the top 3 lines to match your tunnel IP interfaces.
This will allow any machine inside your house to do what it wants, but disallows incoming connectivity.
At this stage, re-run the ipv6 test http://test-ipv6.com/, and you should be good to go.
You may wish to remove the bottom 3 lines of the script (the LOG) ones, they are for debugging, but cost a lot of perf.
防火墙代码,保存为“firewall-start.txt”
- #!/bin/sh
-
- # Customise these 3 lines
- SUBNETPREFIX='Your routed/64 (ending in ::/64)'
- MYTUNNEL='your client ipv6 address (ending in ::2)'
- HETUNNEL='your server ipv6 address (ending in ::1)'
-
- insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko 2>/dev/null
-
- # change LAN and IPv6 WAN interface name according your requirements
- WAN_IF='v6in4'
- LAN_IF='br0'
-
- # First Flush and delete all:
- ip6tables -F INPUT
- ip6tables -F OUTPUT
- ip6tables -F FORWARD
-
- ip6tables -F
- ip6tables -X
- ip6tables -X AllowICMPs 2>/dev/null
-
- # DROP all incomming traffic
- ip6tables -P INPUT DROP
- ip6tables -P OUTPUT DROP
- ip6tables -P FORWARD DROP
-
- # Filter all packets that have RH0 headers:
- ip6tables -A INPUT -m rt --rt-type 0 -j DROP
- ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
- ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
-
- # Allow anything on the local link
- ip6tables -A INPUT -i lo -j ACCEPT
- ip6tables -A OUTPUT -o lo -j ACCEPT
-
- # Allow anything out on the internet
- ip6tables -A OUTPUT -o $WAN_IF -j ACCEPT
-
- # Allow the localnet access us:
- ip6tables -A INPUT -i $LAN_IF -j ACCEPT
- ip6tables -A OUTPUT -o $LAN_IF -j ACCEPT
-
- # Allow Link-Local addresses
- ip6tables -A INPUT -s fe80::/10 -j ACCEPT
- ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
-
- # Allow multicast
- ip6tables -A INPUT -d ff00::/8 -j ACCEPT
- ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
-
- # Paranoia setting on ipv6 interface
- ip6tables -I INPUT -i $WAN_IF -p tcp --syn -j DROP
- ip6tables -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
- ip6tables -I INPUT -i $WAN_IF -p udp -j DROP
- ip6tables -I FORWARD -i $WAN_IF -p udp -j DROP
-
- # Allow forwarding on ipv6 interface
- ip6tables -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
- ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-
- # Allow dedicated ICMPv6 packettypes, do this in an extra chain because we need it everywhere
- ip6tables -N AllowICMPs
- # Destination unreachable
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
- # Packet too big
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
- # Time exceeded
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
- # Parameter problem
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
- # Echo Request (protect against flood)
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
- # Echo Reply
- ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
-
- #
- # Only the HE-Tunnel is allowed to ping us
- #
- ip6tables -A INPUT -p icmpv6 -s $HETUNNEL -d $MYTUNNEL -j AllowICMPs
-
- # Log
- ip6tables -A INPUT -j LOG --log-prefix "INPUT-v6:"
- ip6tables -A FORWARD -j LOG --log-prefix "FORWARD-v6:"
- ip6tables -A OUTPUT -j LOG --log-prefix "OUTPUT-v6:"
复制代码
|