Mikeri's tech-babble


IPv6 with 6to4 tunneling in Debian made easy

I tried to find an easy way to implement IPv6 via 6to4 on my Debian server, but everything I found required some sort of manual intervention in the case of reboots/new IP addresses from my ISP, etc.

So I made this little init.d script using snippets from all around:

# $Id: tun6to4 init.d script v0.1

#Change "eth1" in the following line to your own public interface:
IPV4=$(ifconfig -a | awk '/eth1/{p=1}p&&/inet addr/{sub(".*:", "", $2);print $2;exit}')

STFADDRESS=$(printf "2002:%02x%02x:%02x%02x::1" `echo $IPV4 | tr "." " "`)

case "$1" in
echo -n "Starting 6to4 tunnel: "
/sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local $IPV4
/sbin/ip link set dev tun6to4 up
/sbin/ip -6 addr add $STFADDRESS/16 dev tun6to4
/sbin/ip -6 route add 2000::/3 via :: dev tun6to4 metric 1
#The following line enables forwarding from eth0
# /sbin/ip -6 addr add dev eth0 $STFADDRESS/64
echo "."
echo -n "Stopping 6to4 tunnel: "
/sbin/ip -6 route flush dev tun6to4
/sbin/ip link set dev tun6to4 down
/sbin/ip tunnel del tun6to4
echo "."
restart | force-reload)
$0 stop
sleep 2
$0 start
echo "Usage: /etc/init.d/tun6to4 {start|stop|restart|force-reload}"
exit 1
exit 0

Modify the first uncommented line with your own lan interface, save the file as /etc/init.d/tun6to4 , then do a:
$ update-rc.d tun6to4 defaults
And you should have IPv6 connectivity up and running automatically. On reboots, the script should find your DHCP assigned IP-address and use it accordingly.

If you want to forward from your LAN, uncomment the commented /sbin/ip line and change eth0 to your LAN interface.

If you get a new IP address you'll have to rerun the script. Oh, and the ipv4-extractor uses awk.

Labels: , , , , , ,


Blocking a user group from your internal network in Linux

I recently found out that IPtables features owner matching for TCP packets. This means you can block out packets from certain groups from accessing your local network.

In my scenario, I have a Debian server beeing a physical gateway between my local network and the outside world. Now, some of my friends also has shell accounts on this box. And while I do trust them, it's nice to know they can't access all my stuff (like open smb shares) on the local network.

So how is this done? It's dead simple when you know how. Add the following iptables rule:

iptables -A OUTPUT -m owner --gid-owner 2000 -d -j REJECT

This will block gid 2000 from accessing the 192.168.0.* network. Obviously, change this for your own needs. Then add a group called guests or something with a matchind gid, I just added the following to /etc/group:


And ofcourse link the guest users to the guest groups. You can edit /etc/group by hand or use the following command for each of the users:

usermod -g 2000 guestusername

Labels: , , , ,

Google with SyncML support, now supports Symbian

I just saw this on the N82 Blog, (thanks, Mike!) Google has implemented SyncML support, so you can now synchronize your Google contacts with those on your phone. A nice bonus is having a backup of your phone contacts.

Unfortunatly, calendar synchronization is not supported yet. For that, use GooSync.