Category Archives: Linux System Administration

Notes from administering and working with Linux based servers.

ISC-DHCP-Server – disable dhcpv6 (Debian 9)

The isc-dhcp-server included in Debian 9 will attempt to start a DHCPv6 instance on servers which have a dual-stack (IPv4 & IPv6) config.

If DHCPv6 is unconfigured because for example, Router Advertisements are used for configuring IPv6 hosts, then the service will fail to start. The DHCP(v4) is running but Systemd reports the service as failed.

One work-around is to force isc-dhcp-server to only start the v4 instance, add the following line to /etc/default/isc-dhcp-server:

INTERFACESv4=eth0

where eth0 is the interface on which DHCP requests should be serviced.

After restarting the service, the DHCP server shall now only run on v4 and as long as the v4 config is correct, Systemd will report the service as successfully started.

ISC DHCP Server – Option 43 (Vendor specific attribute)

DHCP (RFC 2132) allows for vendor specific data to be distributed to clients.

Important notes:
– clients must request Option 43 in their Parameter Request List (Option 55).
– the Vendor Class Identifier (Option 60) sent by the client in the DHCP Request, must match ‘VendorName’ which is used in the ISC DHCP Server configuration below.

Example server configuration section from dhcpd.conf:

    option space VendorName;
    option VendorName.serviceName code 1 = text;
    option local-encapsulation code 43 = encapsulate VendorName;
    option VendorName.serviceName "data";

– where VendorName matches the value of the client’s Vendor Class Identifier (Option 60).
– ‘serviceName’ is used only as an internal reference within the DHCP server’s configuration, and must be different for each ‘code’ value.

Up to 256 codes may be used for each Vendor specific configuration. All fields will be returned to the client which matches the Vendor Identifier.

The DHCP server will return the Vendor attributes in the DHCP Response. The data returned is encoded in binary in the following format for each code:
Byte 0: code
Byte 1: length
Byte 2: data

Byte length+2: final data byte
… then follows the next field, starting with code, length, data…

ipt_ROUTE Netfilter module ported to Linux 2.6.31

The ipt_ROUTE module became depreciated in an earlier version of Linux 2.6 – however I needed it so ported it to Linux Kernel version 2.6.31.

Disclaimer: wherever possible iproute2 should be used to achieve the desired effect.

The sources include the Kernel module and extensions to iptables.

This module and iptables extension create a new target which may be used on the mangle table.
Target usage: -j ROUTE <option>
options:
--oif ifname - Route packet through `ifname' network interface
--iif ifname - Change packet's incoming interface to `ifname'
--gw ip - Route packet via this gateway `ip'
--continue - Route packet and continue traversing the rules. (Not valid with --iif or --tee)
--tee - Duplicate packet and route the duplicate, continue traversing the original packet. (Not valid with --iif or --continue)

I have tested the ported module on the PREROUTING and INPUT chains of the mangle table.

I use this module to route packets that have a destination IP address which matches a local IP address, out of an ethernet interface (using --oif option). These packets would normally be directed to the local system.

OpenVPN – IPv6 with tun device

Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.

Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network

I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.

Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6

Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"

IPv6 DNS Advertisements

DNS client configuration can be handled by the standard Router Advertisement Daemon (radvd) – apt-get install radvd

Edit /etc/radvd.conf on your Linux Router and insert the following at the end of the file to use Google’s DNS Caching server:

RDNS 2001:4860:4860::8888
{
};

On your Linux clients install rdnssd. To automatically add the advertised IPv6 DNS servers to your /etc/resolv.conf

The /etc/resolv.conf now contains both IPv4 and IPv6 entries. Typically a DHCP client is adding the IPv4 DNS server entries, this can be prevented by removing ‘domain-name-servers’ from the ‘request’ line in dhclient.conf