So, below I went through the word list that I previously generated, pulled out just the funnier words, and made some “IPv6 phrases.” Can you find any more? Let me know in the comments!

Funny IPv6 Phrases

Below are some of the funnier IPv6 words that you can spell. Let me know if you can make up any funny phrases in the comments!

Funny IPv6 Words

Don’t forget to check my Fun With IPv6 Words page for a larger list of words, along with some instructions on creating your own list.

So, what is the Domain Name System (DNS)? It is a hierarchical distributed naming system for any resource connected to the Internet or a private network. It associates various information with domain names, and translates domain names into IP addresses (and vice versa).

Example:

• 66.228.37.203

Nameserver Types

First, lets take a look at the different types of nameservers. The are Master (primary) name servers are the main servers for authoritative DNS zones. These servers provide the information for all the other servers to replicate. The Slave (secondary) servers are the ones that replicate the data from the masters.

A Caching nameserver is a server which maintains a recent cache of DNS lookups. This can increase reliability, decrease query time, and decrease network traffic.

A Recursive nameserver provides lookups for non-authoritative DNS zones. Basically, if a nameserver is responsible for a domain (like sophiedogg.com), a recusrive nameserver would provide information for domains it is not responsible for. There are public recursive name servers, such as Google’s google-public-dns-a.google.com (8.8.8.8). For the most part, your master or slave nameservers should not provide recusrive lookups, unless only for authorized users.

Finally, we have Stealth nameservers, which are hidden name servers. The benefit of having a stealth nameserver is that the internet at large does not know the address of it, and cannot easily attack it!

Note that a single nameserver can fill multiple roles, such as recursive stealth master. Next, lets take a look at some of the different items within a DNS zone record and the vocabulary associated with DNS.

Time to Live

Time to Live (TTL), specified in seconds, limits the lifespan of a record. This value specifies how long a caching nameserver can consider a record valid. If the TTL of a record is set at 1 day (86400 seconds), a caching name server will keep that record in memory for one day. This prevents the nameserver from going through the lookup process for any additional queries within that time period.

Shorter TTL’s can increase the load on the nameserver, however they can be beneficial when changing servers, preventing stale information from being cached. Before any changes involving DNS (like changing IP addresses), it is always a good idea to lower your TTL’s until the changes are complete.

Fully Qualified Domain Name (FQDN)

A Fully Qualified Domain Name record is the complete DNS record, that resolves to an IP address. An example of this would be:

www.sbd.example.com

IP Address Subnetting

It also helps to have some knowledge of IP address subnetting in order to understand some of the terms used in the Domain Name System.
Ex: IP: 10.11.12.13 – Subnet: 255.255.0.0

DNS Record Types

There are many different types of DNS records, more than we will cover here, but these are the most important and most common records.

So, using this information, lets put together a basic DNS zone! We will start with the SOA record, since it is normally the first record listed in a BIND zone file.

SOA Record

$ORIGIN sophiedogg.com.
$TTL 43200      ; 12 hours
@               IN      SOA     ns1.sophiedogg.com. sophiedogg.sophiedogg.com. (
                        2012120208 ; serial YYYYMMDDnumber
                        21600 ; refresh (6 hours)
                        600 ; retry (10 minutes)
                        1209600 ; expire (2 weeks)
                        10800 ) ; minimum (3 hours)

So, first we start with the domain name ($ORIGIN sophiedogg.com). This defines the domain we are referring to in the rest of our records. Next is the $TTL 43200 field, which specifies the default TTL for records. Both of these values can be changed later in the config file if you wish, affecting any records below the changes. You can also optionally specify per-record TTL values, which will take precedence over this value. Next, we have IN SOA which specifies what kind of record we are defining (SOA). After that we list the primary name server (ns1.sophiedogg.com), followed by the administrative contact email. Now, this email does not have the at (@) sign, instead, the first dot is replaced with an at symbol.

Next are some numbers… What do they mean?!

The first number is the serial number. This unique number specifies the revision number of the zone. The standard format for the serial number is the date, followed by a 2 digit revision number. For example, the serial number 2012120208 corresponds to the 8th revision made on December 2nd, 2012.

The second is the refresh interval. This is how often a slave nameserver tries to refresh the zone file from the master. This is not as important as it had been in the past, as master servers are often configured to automatically notify the slaves of any changes immediately after they are made.

The third is the retry interval, or how long a slave should wait to refresh a zone from the master, if a refresh has failed.

Fourth is the expire time. This specifies how long a slave server can be considered authoritative for a zone, when it is unable to contact a master.

Finally, fifth is the minimum time, or negative caching time. This is how long an error on a record can be kept before another lookup must be performed.

Next, we can take a look at some of the different records in our BIND zone file.

NS Records

A NS Record is what actually specifies the nameservers responsible for our domain! Below is that they look in our BIND zone file:

                IN      NS      ns1.sophiedogg.com.
                IN      NS      ns2.sophiedogg.com.
                IN      NS      ns3.sophiedogg.com.
                IN      NS      ns4.sophiedogg.com.
                IN      NS      ns5.sophiedogg.com.

Basically, it just states the 5 different NS servers. Notice the period at the end of each line. This is necessary, so that BIND knows where the record terminates.

MX Records

The MX record is specified in a similar manner to the NS records, except there is an extra field, which is the mail server priority value. The lower the value, the higher the priority. This will allow us to specify multiple mail servers, for redundancy, if we wish.

                IN      MX      10 sophiedogg.com.
                IN      MX      20 backupmail.sophiedogg.com.

CNAME Records

A CNAME record is basically just an alias, or nickname, for another record. Below is an example of a CNAME record:

www             IN      CNAME   sophiedogg.com.

This states that the www record is just an alias for sophiedogg.com. This can allow us to have multiple records that all point to the same IP address, without having to specify an IP address for each record. This is especially useful when updating records; instead of updating multiple records, we only have to update one! CNAME’s are also useful with VirtualHosts in webservers; the web server uses the different names to display different web pages, even though they all use the same IP address. Also, notice how there is no period after the www. This means that the server should append the value from the $ORIGIN field to the record. Thus, the record specified here is actually www.sophiedogg.com.

A Records

A Records are the main IPv4 record of the internet. Without an A record, you would not be able to find a website (via IPv4). If you do a lookup on any website, you should find an A record! We need A records for all of the records we defined above (ns1, ns2, mx, etc). Below is an example of some A records:

                IN      A       66.228.37.203
ns1             IN      A       69.93.127.10
ns2             IN      A       65.19.178.10
ns3             IN      A       75.127.96.10
ns4             IN      A       207.192.70.10
ns5             IN      A       109.74.194.10

Notice that there is no host specified in the first record? Basically, just like above with the www CNAME record, we will append the $ORIGIN value to the record. Since there is no record, it ends up just being the $ORIGIN value all by itself. Therefore, the first record specifies the A record for sophiedogg.com, 66.228.37.203. The next 5 records are the name server records. Without these, nobody will know who to ask for information about your domain!

AAAA Records

AAAA (Quad A) Records are the IP address records for the IPv6 internet. Not as important as A records (yet), it is good to have the IPv6 access available if possible. As the internet has run out of IPv4 addresses, more and more connections will be using IPv6, so it is important to start thinking about it now, if you haven’t already.

                IN      AAAA    2600:3c03::f03c:91ff:fe93:f617
ns1             IN      AAAA    2600:3c00::a
ns2             IN      AAAA    2600:3c01::a
ns3             IN      AAAA    2600:3c02::a
ns4             IN      AAAA    2600:3c03::a
ns5             IN      AAAA    2a01:7e00::a

Everything here is the same as specified in the A records above, except the IP address records themselves. IPv6 addresses use a different format, which is specified in more detail below…

IPv4 vs. IPv6

• Dotted quad with 256 available values per quad (0-255)
• Ex: 10.11.12.13
• 32-bit
• 2^32 available addresses
• 4,294,967,296

• Separated into eight 16-bit sections, with 65536 values per section (0000-ffff)
• Ex: 2600:3c03:0000:0000:f03c:91ff:fe93:f617 (or 2600:3c03::f03c:91ff:fe93:f617)
• 128-bit
• 2^128 available addresses
• 340,282,366,920,938,000,000,000,000,000,000,000,000

Glue Records

Glue records are the IP address records (A and AAAA) at the parent nameserver. In the case of sophiedogg.com, it would be the registrar, such as GoDaddy. If you have a subdomain delegated off of another domain, it would be whoever is responsible for the main domain name.

Hierarchial View of the Domain Name System

Here is a tree showing, as an example, the different levels of the domain name system. The top level, or root level, are the main record keepers for the internet. The root servers keep records related to the level directly below them (.com, .net, etc). Each level keeps records for the level directly below them. These are the glue records!

Example of a Recursive DNS Transaction

Below is an example of a recursive DNS query. It is important to know that a recursive server always has a copy of the IP addresses of the root nameservers, in order to provide the necessary addresses for step #2 in the figure below. This list of root nameservers need to be kept up to date, or else the recursive nameserver will not know where to start its lookups!

• 1: The Client asks a Recursive DNS server for the record associated with www.sophiedogg.com.
• 2: The Recursive DNS server query’s the Root DNS servers, asking for the DNS server records for the .com TLD.
• 3: The root DNS server responds with information for the .com DNS servers.
• 4: The Recursive DNS server query’s the .com DNS servers, asking for the DNS server records for the sophiedogg.com domain
• 5: The .com DNS server responds with information for the sophiedogg.com DNS servers
• 6: The Recursive DNS server query’s the sophiedogg.com DNS servers, asking for the specified (A, AAAA, MX, etc.) record for www.sophiedogg.com.
• 7: The sophiedogg.com DNS server responds with the requested value for www.sophiedogg.com
• 8: The Recursive DNS server responds to the client’s original request with the necessary information
• 9: The client can actually access the requested website!

Lets walk through the actual steps of a recursive DNS query, looking up the record www.sophiedogg.com, from the perspective of a recursive DNS server (note the results have been shortened).

$ dig ns
...
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518392  IN      NS      a.root-servers.net.
.                       518392  IN      NS      b.root-servers.net.
...

$ dig ns com @a.root-servers.net
...
;; QUESTION SECTION:
;com.                           IN      NS

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
...

$ dig ns sophiedogg.com @a.gtld-servers.net
...
;; QUESTION SECTION:
;sophiedogg.com.                        IN      NS

;; AUTHORITY SECTION:
sophiedogg.com.         172800  IN      NS      ns1.sophiedogg.com.
sophiedogg.com.         172800  IN      NS      ns2.sophiedogg.com.
...

$ dig a www.sophiedogg.com @ns1.sophiedogg.com
...
;; QUESTION SECTION:
;www.sophiedogg.com.            IN      A

;; ANSWER SECTION:
www.sophiedogg.com.     43200   IN      CNAME   sophiedogg.com.
sophiedogg.com.         43200   IN      A       66.228.37.203
...

Notice that the www.sophiedogg.com record is actually a CNAME for sophiedogg.com. In this case, the A record for sophiedogg.com is also returned.

Next, lets take a look at a cached DNS lookup…

Cached DNS Transaction

Notice how many fewer steps there are a cached DNS transaction!

• 1: The Client asks a RCaching DNS server for the record associated with www.sophiedogg.com.
• 2: The Caching DNS server already has a cached copy of the results of the query, and responds directly to the client, without querying any other nameservers
• 3: The client accesses the requested website!

In a recursive query, the server skips all of the steps detailed in the section above, since it already has a copy of the record! This can greatly improve DNS response time, and decrease overall network traffic.

Recursive Vs. Non-Recursive

A recursive name server will provide information about domains that it is not authoritative for, while a non-recursive name server will not. Think of it like this, if I ask you for the phone number for someone on the other side of the world that you don’t know, chances are you aren’t going to give it to me. You would have to go through the trouble and time of looking that number up before giving it to me. This would be non-recursive. If you actually did look up this phone number and provide it to me, you wold be providing a recursive lookup service. Similarly, you do not want your DNS servers answering queries that it is not authoritative for. This can add an additional burden to your nameserver, and leave your name servers open to a denial of service attack. Of course you need some recursive name server, in order to find the records necessary to access the internet, but the recursive functionality should only work for those you approve. An example of a non-recursive lookup failure is below:

$ nslookup google.com ns1.sophiedogg.com
Server:         ns1.sophiedogg.com
Address:        2600:3c00::a#53

** server can't find google.com.com: REFUSED

Whois records

A Whois record provides more detailed information about a domain, such as the owner, their address, phone number, and email address. Many people opt to purchase whois privacy products, which essentially let you use a 3rd party’s information in your whois record. An example of Sophiedogg.com’s whois information is below. Notice that it uses a privacy provider to hide any real information…

Domain Name: SOPHIEDOGG.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-03-05 18:43:36
Creation Date: 2011-03-29 19:08:42
Registrar Expiration Date: 2015-03-29 19:08:42
Registrar: GoDaddy.com, LLC
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: United States
Name Server: NS1.SOPHIEDOGG.COM
Name Server: NS2.SOPHIEDOGG.COM
Name Server: NS3.SOPHIEDOGG.COM
Name Server: NS4.SOPHIEDOGG.COM
Name Server: NS5.SOPHIEDOGG.COM

While it is possible to just fake information in your whois record, this is generally not allowed under the Terms of Service of the registrar. If they find out, they may seize your domain name…

BIND DNS Zone File Example

Here is an example of a valid BIND DNS zone file for sophiedogg.com:

$ORIGIN sophiedogg.com.
$TTL 43200      ; 12 hours
@               IN      SOA     ns1.sophiedogg.com. sophiedogg.sophiedogg.com. (
                        2012120208
                        21600
                        600
                        1209600
                        10800 )
                IN      NS      ns1.sophiedogg.com.
                IN      NS      ns2.sophiedogg.com.
                IN      NS      ns3.sophiedogg.com.
                IN      NS      ns4.sophiedogg.com.
                IN      NS      ns5.sophiedogg.com.
                IN      MX      10 sophiedogg.com.
                IN      TXT     "v=spf1 mx -all"
                IN      A       66.228.37.203
                IN      AAAA    2600:3c03::f03c:91ff:fe93:f617
ns1             IN      A       69.93.127.10
ns1             IN      AAAA    2600:3c00::a
ns2             IN      A       65.19.178.10
ns2             IN      AAAA    2600:3c01::a
ns3             IN      A       75.127.96.10
ns3             IN      AAAA    2600:3c02::a
ns4             IN      A       207.192.70.10
ns4             IN      AAAA    2600:3c03::a
ns5             IN      A       109.74.194.10
ns5             IN      AAAA    2a01:7e00::a
www             IN      CNAME   sophiedogg.com.

Best Practices for your DNS Servers

Below is a list of some best practices for running your own DNS servers. This list is by no means exhaustive; there are other things you can do, that are beyond an “Intro to DNS” post.

• Primary nameserver should be stealth!
• Public nameservers should be slaves.
• At least 3 public nameservers.
• Public nameservers should not be recursive.
• Nameserver version should be hidden.
• Glue records should be used!
• Nameservers should accept TCP and UDP!
• Nameservers should be on separate networks.
• TTL Values should follow RFC recommendations.

Finally, if you are interested in learning more about DNS, below are some excellent resources.

• Intodns.com
• http://www.intodns.com/sophiedogg.com
• Wikipedia – Domain Name System
• Root-servers.org
• DNSInspect.com
• Cisco – DNS Best Practices
• Zytranx DNS Book

First, let’s check our IP address, so we can verify that our proxy is working later on. If we go to Google and type “what is my ip” the Google will be nice enough to tell us!

Next, you will need access to one or more SSH servers that allow proxying. You can do a search for free ssh proxy and hopefully get a list of servers that you can use for this exercise. It is becoming harder to get free SSH proxy’s, so you might have to make friends with a server admin in order to get an account…

Let’s make our initial connection, by running the following command:

ssh -2 -C -D 55555 -L 55556:127.0.0.1:55556 -L 55557:127.0.0.1:55557 user1@host1.domain-one.tld

(If you are on a Windows machine using PuTTY, you can create a shortcut to the putty.exe file with the same flags)
This will create our initial connection with a SOCKS proxy on port 55555, while allowing two more forwards for additional servers. If you wanted, you could create additional -L PORT:127.0.0.1:PORT combinations to add additional servers.

The first -D 55555 in the initial connection string above creates our first proxy forward to the first destination server (host1.domain-one.tld in the example above). The following -L 55556:127.0.0.1:55556 lets us forward through port 55556. Similarly, the -L 55557:127.0.0.1:55557 lets us create another forwarding hop.

If you now use port 55555 in your proxy configuration with the SOCKS host set as localhost, you will be forwarding your traffic through the SOCKS proxy connection we just created! You can verify this by again going to Google and searching “what is my ip”.

Next, from the SSH connection of our first server, we will open a proxy to our second server like this:

ssh -2 -C -D 55556 -L 55557:127.0.0.1:55557 user2@host2.domain-two.tld

This will create a SOCKS proxy through our second server on port 55556. Now, all we have to do is change our SOCKS port to use 55556, and we will be going through two hosts! Again, you can verify this with Google.

Finally, from this second SSH connection, we will open a third connection, like so:

ssh -2 -C -D 55557 user3@host3.domain-three.tld

Using port 55557, we will now have a proxy going through all three servers! Also, you can simply change the port, and change which server is your exit node.

That was pretty easy! If you are using Firefox, it is really easy to change the proxy setup within the Options – Advanced – Network – Connection Settings menu. Just use the manual proxy configuration, with 127.0.0.1 as the SOCKS host, and one of the ports from above.

Finally, here is what the three connection strings look like. You should be able to figure out how to add extra hops!

ssh -2 -C -D 55557 -L 55556:127.0.0.1:55556 -L 55555:127.0.0.1:55555 user1@host1.domain-one.tld
ssh -2 -C -D 55556 -L 55555:127.0.0.1:55555 user2@host2.domain-two.tld
ssh -2 -C -D 55555 user3@host3.domain-three.tld

First, we need to define what numbers are equal to what letters, and then we can walk through how I created a list of IPv6 words.

Since IPv6 addresses are comprised of hexadecimal numbers, we already have the letters A, B, C, D, E, and F to work with in our sentences. Next are the numbers that can represent letters…

The letters:

So, combining all of this, we have the letters A, B, C, D, E, F, G, I, L, O, S, T, and Z.

Next, we need a dictionary that we can pull our words from. I decided to use the SCOWL Word List, because it will easily generate a list from the command line which we can then use in our scripts to create a list of words. There are probably better dictionaries to start with, that will produce better results (some of our words will be somewhat silly, like aas, but I’m a dogg and that’s how I roll).

After download and extracting the word list from above, we are going to make an American word list. Now, there are many different options for the SCOWL software, depending on how many words you want included in your list, language, etc. See the SCOWL readme for more details and options…

$ ./mk-list american 80 > ipv6words80-1.txt

This will create our base IPv6 word list. The 80 indicates the size of the dictionary, which should contain over 338,000 words. It is probably way to big, with many words we will never use, but that is where we’re going to start anyways!

Next, we are going to pull out all of the words that contain letters from our specified list above, and write them into a second file. Using the grep command we will search for any letters we don’t want, ignore the case, invert our match, and write!

$ grep -iv 'h\|j\|k\|m\|n\|p\|q\|r\|u\|v\|w\|x\|y' ipv6words80-1.txt > ipv6words80-2.txt

Now, we have a list of words that only contain the letters from our list above! However, before we can do anything else, we need to remove any non-standard characters in the words (like apostrophes), and change any umlaut vowels to regular english vowels. This time we will use the string editor sed along with perl to accomplish our task.

$ sed -i s/\'//g ipv6words80-2.txt

$ perl -pi -e 's/\xC0/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC1/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC2/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC3/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC4/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC5/A/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC6/AE/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC7/C/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC8/E/g' ipv6words80-2.txt
$ perl -pi -e 's/\xC9/E/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCA/E/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCB/E/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCC/I/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCD/I/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCE/I/g' ipv6words80-2.txt
$ perl -pi -e 's/\xCF/I/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD0/D/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD1/N/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD2/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD3/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD4/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD5/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD6/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD8/O/g' ipv6words80-2.txt
$ perl -pi -e 's/\xD9/U/g' ipv6words80-2.txt
$ perl -pi -e 's/\xDA/U/g' ipv6words80-2.txt
$ perl -pi -e 's/\xDB/U/g' ipv6words80-2.txt
$ perl -pi -e 's/\xDC/U/g' ipv6words80-2.txt
$ perl -pi -e 's/\xDD/Y/g' ipv6words80-2.txt
$ perl -pi -e 's/\xDF/B/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE0/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE1/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE2/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE3/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE4/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE5/a/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE6/ae/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE7/c/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE8/e/g' ipv6words80-2.txt
$ perl -pi -e 's/\xE9/e/g' ipv6words80-2.txt
$ perl -pi -e 's/\xEA/e/g' ipv6words80-2.txt
$ perl -pi -e 's/\xEB/e/g' ipv6words80-2.txt
$ perl -pi -e 's/\xEC/i/g' ipv6words80-2.txt
$ perl -pi -e 's/\xED/i/g' ipv6words80-2.txt
$ perl -pi -e 's/\xEE/i/g' ipv6words80-2.txt
$ perl -pi -e 's/\xEF/i/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF0/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF1/n/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF2/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF3/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF4/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF5/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF6/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF8/o/g' ipv6words80-2.txt
$ perl -pi -e 's/\xF9/u/g' ipv6words80-2.txt
$ perl -pi -e 's/\xFA/u/g' ipv6words80-2.txt
$ perl -pi -e 's/\xFB/u/g' ipv6words80-2.txt
$ perl -pi -e 's/\xFC/u/g' ipv6words80-2.txt
$ perl -pi -e 's/\xFD/y/g' ipv6words80-2.txt
$ perl -pi -e 's/\xFF/y/g' ipv6words80-2.txt

Since we just changed a bunch of umlauts to letters, we are going to run the grep command again.

$ grep -iv 'h\|j\|k\|m\|n\|p\|q\|r\|u\|v\|w\|x\|y' ipv6words80-2.txt > ipv6words80-3.txt

Now, we will remove any words that are longer than 4 characters. You could optionally skip this step, however you will end up creating words in your IPv6 addresses that will have colons in them. I don’t really want that, so I’m going to pull out only the words that are 4 characters in length or less. We can use grep to complete this step.

grep -E '^[[:alpha:]]{4}$' ipv6words80-3.txt > ipv6words80-4.txt
grep -E '^[[:alpha:]]{3}$' ipv6words80-3.txt >> ipv6words80-4.txt
grep -E '^[[:alpha:]]{2}$' ipv6words80-3.txt >> ipv6words80-4.txt
grep -E '^[[:alpha:]]{1}$' ipv6words80-3.txt >> ipv6words80-4.txt

Next, we will convert everything to lowercase using the tr command, and write to the ipv6words80-5.txt file…

$ tr '[A-Z]' '[a-z]' < ipv6words80-4.txt > ipv6words80-5.txt

Now, when displaying IPv6 addresses, the leading 0 in any group of 4 hexadecimal digits will be omitted (so the address 2001:db8:0la::1 is written as 2001:db8:1a::1), so we need to remove any words that begin with the letter o.

grep -v ^o ipv6words80-5.txt > ipv6words80-6.txt

This time, let’s sort the IPv6 word list and remove the duplicates (after converting everything to lowercase, we will end up having some duplicate words). This can be accomplished with the sort command…

$ sort -u ipv6words80-6.txt > ipv6words80-7.txt

Finally, we have a list of IPv6 words which we can actually use! All that is left is for us to convert the non-hexadecimal letters to numbers…

sed -i 's/o/0/g' ipv6words80-7.txt
sed -i 's/i/1/g' ipv6words80-7.txt
sed -i 's/l/1/g' ipv6words80-7.txt
sed -i 's/z/2/g' ipv6words80-7.txt
sed -i 's/s/5/g' ipv6words80-7.txt
sed -i 's/t/7/g' ipv6words80-7.txt
sed -i 's/g/9/g' ipv6words80-7.txt

Now, we will sort for unique values one more time, and be done!

$ sort -u ipv6words80-7.txt > ipv6words80-8.txt

Now, starting with our original word list, we will end up with proper names, acronyms, and infrequently used words. We could optionally use a different word list that doesn’t contain these words, but I decided to keep them for a more complete list.

Also, this list may not contain many of the slang words and such that are common in today’s language.

As you can see from the list below, we can create an IPv6 address such as 2001:db8::ea7:beef:7ac0:d0g5 (eat beef taco dogs!).

And now, here is our completed IPv6 word list!

1
10
100
1005
1007
100f
1010
1011
1015
101a
101d
105
1055
1057
105e
107
1070
1071
1075
1077
107a
107e
109
1090
1095
109e
10a
10a5
10ad
10af
10b
10b0
10b1
10b5
10be
10c0
10c1
10ca
10d1
10d2
10da
10de
10eb
10ed
10f7
11
110
1105
111
1110
1111
1115
1117
111a
112
1125
112a
115
1157
115a
115e
117
1175
117e
119
1195
11a
11a0
11a5
11b
11b5
11ce
11d
11d0
11d5
11de
11e
11e5
11ea
11ed
11ef
11f0
11f7
11fe
120d
12ba
15
150
151
1515
151a
151e
157
15a7
15ba
15d
15d5
17
170
1711
175
17a
17a1
17a5
17d
19
190
1905
199
1995
19a
19ad
19b0
19e
1a
1a0
1a05
1a10
1a11
1a1a
1a1c
1a1d
1a1e
1a2e
1a5
1a51
1a55
1a57
1a5e
1a7
1a71
1a75
1a7a
1a7e
1a9
1a90
1a95
1aa
1aa5
1ab
1ab5
1abe
1ac
1ac5
1ace
1ad
1ad5
1add
1ade
1aea
1aff
1b
1b0
1b05
1b15
1b1d
1b5
1c
1ca0
1cc
1cd
1cd5
1ce
1ce1
1ce5
1ced
1d
1d0
1d01
1d05
1d1
1d15
1d1e
1d5
1da
1da5
1dc
1de
1de5
1dea
1ded
1dee
1e
1e0
1e05
1e1
1e15
1e1a
1e1f
1e2
1e5
1e55
1e57
1e5a
1e7
1e70
1e75
1e77
1e7a
1e9
1e90
1e95
1ea
1ea1
1ea5
1ea7
1ead
1eaf
1eb0
1ec7
1ed
1ed5
1eda
1ee
1ee5
1ee7
1eed
1ef7
1f
1f5
1fc
1fc5
1ff
2
20
200
2001
2005
201a
201c
205
20a
20b0
20e
20e5
20ea
2111
211a
212
2122
217
2171
2175
217e
219
2195
21b0
21ff
222
25
2a
2a5
2a71
2a9
2a95
2e1
2e11
2e15
2e2e
2e57
2e7a
2ea
2ea1
2ea5
2ed
2ed5
2ee
2ee5
5
50
5001
5007
501
5010
5011
5015
501a
501d
501e
505
5050
5055
505a
507
5070
5075
509
5095
50b
50b5
50ba
50c
50c5
50ca
50d
50d5
50da
50f7
50fa
51
5107
5109
510b
510e
5110
5111
5117
511a
511d
511e
512e
515
5155
5157
517
5175
517a
517e
519
51a1
51a5
51a7
51a9
51ab
51b
51b5
51bb
51c
51c5
51ce
51d
51d5
51da
51de
51e
51ed
51ee
51f7
55
555
557
55a
55e
55e5
57
5701
5707
570a
570b
575
579
579e
57a
57a7
57a9
57ab
57d
57e
57e7
57ed
59
597
59d
5a
5a1
5a11
5a15
5a17
5a1c
5a1d
5a1e
5a2
5a55
5a5a
5a5e
5a7
5a71
5a75
5a7e
5a9
5a90
5a95
5a9a
5a9e
5aab
5ab
5ab5
5aba
5abe
5ac
5ac0
5ac5
5ad
5ad1
5ade
5afe
5b
5b5
5ba
5c
5c07
5c09
5c1
5c10
5c5
5c51
5ca7
5ca9
5cab
5cad
5d
5d1
5e
5e1
5e11
5e12
5e15
5e1d
5e1e
5e1f
5e2
5e5
5e55
5e5e
5e7
5e75
5e77
5e7a
5e9
5e90
5e95
5e9a
5ea
5ea1
5ea5
5ea7
5ec
5ec0
5ec5
5ec7
5ed
5ee
5ee1
5ee5
5eed
5f
7
70
700
7001
7007
7011
7017
701a
701d
701e
702e
7055
705a
705e
707
7070
7072
7075
707e
709
7090
7095
709a
70ad
70b
70be
70c
70c0
70d
70d5
70dd
70e
70e5
70ea
70ed
70f7
70ff
71
711
7111
7115
7117
711e
7122
715
717
7170
7171
7175
717e
719
7195
719e
71a
71a5
71b
71b5
71c
71c5
71ce
71d
71d5
71de
71e
71e5
71ed
71f7
71ff
75
791f
7a
7a0
7a05
7a1
7a11
7a15
7a17
7a19
7a1a
7a1c
7a1e
7a1f
7a5
7a55
7a7
7a71
7a75
7a77
7a7e
7a9
7a95
7aa1
7ab
7ab1
7ab5
7ac0
7ac7
7ace
7ad
7ad5
7ae1
7af
7af7
7b
7b5
7ba
7c
7c5
7cdd
7d
7dd
7e
7e1
7e11
7e15
7e17
7e1a
7e1d
7e1e
7e5
7e51
7e55
7e57
7e7
7e75
7e7e
7e9
7e95
7e99
7ea
7ea1
7ea5
7ea7
7ead
7ed
7ed5
7ee
7ee1
7ee5
7eed
7ef
7ef1
7ef5
7eff
9
90
900
9001
9005
9009
900d
900f
901d
901f
905
9055
907
909
9090
90a
90a1
90a5
90a7
90ad
90af
90b
90b0
90b1
90b5
90d
90d5
90e1
90e5
90ff
91
910
9105
910b
911
9111
9115
9117
911a
911b
911d
911e
9122
912a
915
9157
917
9175
917a
917e
919
9190
9191
9195
919a
91ad
91b
91b5
91be
91d
91d5
91de
91e
91e1
91e5
91e9
91ed
91ee
91f
91f7
95
95a
97
97d
97e
97e5
9a
9a0
9a1
9a11
9a15
9a17
9a1a
9a1d
9a1e
9a2
9a2a
9a2e
9a5
9a55
9a57
9a7
9a75
9a77
9a7e
9a9
9a95
9a9a
9a9e
9ab
9ab0
9ab5
9aba
9ad
9ad1
9ad5
9ade
9ae1
9ae5
9aea
9aff
9b
9b5
9ca
9d
9d5
9e
9e0
9e01
9e05
9e09
9e0d
9e1
9e15
9e1d
9e5
9e57
9e7
9e72
9e75
9e7a
9ea1
9ea7
9ed
9ed5
9ee
9ee2
9ee5
9eed
9eff
9f1
9fc1
a
a01
a015
a1
a10d
a10e
a11
a115
a11f
a15
a150
a17
a170
a175
a17a
a19
a19a
a1a
a1a1
a1a5
a1ae
a1b
a1b1
a1b5
a1ba
a1be
a1c0
a1d
a1d0
a1d5
a1da
a1de
a1e
a1e5
a1ea
a1ec
a1ee
a1ef
a1f
a1f5
a1fa
a2
a20
a21e
a25
a27
a275
a5
a51
a515
a51a
a55
a555
a557
a571
a5a
a5a5
a5a7
a5c0
a5c1
a5ea
a7
a70c
a711
a75
a77
a7c
a7c0
a7e
a7e5
a9
a90
a909
a910
a95
a9a
a9a5
a9c
a9e
a9e5
a9ed
a9ee
aa
aa1
aa15
aa5
aaa
ab
ab0
ab05
ab1
ab1b
ab1e
ab5
ab55
aba
aba5
abac
abb
abb5
abba
abbe
abc
abc5
abd
abd5
abe
abe1
abe5
abe7
abed
ac
ac15
ac1d
ac5
ac7
ac75
ac79
ac7a
acc
acc7
ace
ace5
aced
ad
ad0
ad05
ad17
ad2e
ad5
ada
ada5
adc
add
add5
ade1
ae
aec
aec5
af
af7
afb
afc
afdc
aff
b
b0
b00
b005
b007
b00b
b01
b010
b011
b017
b01a
b01d
b01e
b02
b020
b05
b055
b05c
b05e
b07
b070
b075
b077
b07a
b09
b095
b09a
b0a
b0a2
b0a5
b0a7
b0b
b0b5
b0ba
b0d
b0d5
b0de
b0ff
b1
b10
b101
b105
b107
b109
b10b
b10c
b111
b11e
b12
b125
b12e
b15
b17
b170
b175
b177
b17e
b19
b195
b199
b19a
b1a
b1a5
b1a7
b1a9
b1ab
b1ad
b1ae
b1b
b1b1
b1b5
b1bb
b1c
b1c5
b1ce
b1d
b1d1
b1d5
b1d9
b1de
b1e1
b1e7
b1eb
b1ed
b1ee
b1ff
b5
b55
b5a
b5d
b5d5
b7
b71
b75
ba
ba1
ba11
ba15
ba17
ba1a
ba1d
ba1e
ba5
ba55
ba57
ba5e
ba7
ba75
ba77
ba7e
ba9
ba95
baa
baa1
baa5
bab
bab1
bab5
baba
babb
babe
bac7
bad
bad5
bade
bae2
baf7
baff
bb
bb1
bb15
bb5
bbb
bbc
bc
bc5
bc9
bcd
bd
bd1
be
be1
be11
be15
be17
be19
be1a
be2
be5
be55
be57
be7
be75
be7a
be7e
be9
be90
be95
bea7
bead
bebe
bed
bed5
bede
bee
bee5
bee7
beeb
beef
bf
c
c0
c00
c001
c005
c007
c00f
c01
c010
c011
c015
c017
c01a
c01d
c01e
c01f
c02
c02e
c05
c055
c057
c05e
c07
c075
c077
c07e
c09
c095
c0a1
c0a7
c0b
c0b5
c0bb
c0c0
c0ca
c0d
c0d5
c0da
c0de
c0ed
c0f7
c0ff
c1
c105
c107
c109
c10d
c110
c111
c117
c15
c157
c15c
c17
c170
c175
c17e
c19
c195
c1a
c1a0
c1a5
c1a9
c1ad
c1d
c1e0
c1e9
c1ef
c2
c5
c57
c575
c5c
c7
c75
c9
ca
ca1
ca10
ca11
ca1d
ca1e
ca1f
ca5
ca55
ca57
ca5a
ca5e
ca7
ca70
ca75
ca77
ca7e
ca9e
caa
cab
cab5
caba
caca
cad
cad1
cad5
cade
cafe
caff
cb
cb5
cbc
cbc5
cc
cc5
ccd
cd
cd5
cd7
cdc
ce
ce0
ce05
ce1
ce11
ce15
ce17
ce5
ce55
ce70
ce7e
cea
cea5
ceca
ced1
cede
cee
cee5
cf
cf0
cf5
cfc
cfc5
d
d0
d00
d001
d005
d00b
d01
d011
d015
d017
d01a
d01e
d02
d02e
d05
d055
d057
d05e
d07
d075
d07e
d09
d095
d09e
d0a
d0a7
d0ab
d0b
d0b5
d0be
d0c
d0c5
d0d
d0d0
d0d5
d0e
d0e5
d0ff
d1
d10
d101
d105
d111
d15
d155
d157
d15a
d15c
d17
d172
d175
d177
d17a
d17e
d19
d195
d1a1
d1a5
d1a9
d1b
d1b5
d1c7
d1ce
d1d
d1d0
d1e
d1e1
d1e5
d1e7
d1eb
d1ed
d1f
d1f5
d1ff
d2
d20
d205
d5
d50
d505
d57
d75
d7d
d9
d95
da
da1
da11
da15
da17
da1e
da2e
da5
da55
da57
da7
da70
da75
da7a
da7e
da9
da90
da95
daa1
dab
dab5
dace
dad
dad0
dad5
dada
dadd
dae
daf7
daff
db
db1
db5
dc
dc5
dd
dd1
dd5
dd55
dd7
dd75
ddc
ddd
dde
dded
de
de0
de05
de1
de11
de15
de17
de1d
de1e
de1f
de5
de55
de5c
de9
dea
dea1
dead
deaf
deb
deb5
deb7
dec
dec0
dec1
dec5
decd
dee
dee5
dee7
deed
def
def1
def7
e
e0
e01a
e05
e055
e0e
e1
e10
e105
e11
e112
e115
e11a
e11d
e15
e15a
e15e
e17
e175
e199
e1a
e1ba
e1be
e1c0
e1d
e1d5
e1de
e1ea
e1f
e1f5
e2
e2e1
e5
e51
e55
e55e
e57
e575
e57e
e5c
e5d
e5e
e5e5
e7
e71c
e77a
e7a
e7a5
e7a7
e7c
e7d
e9
e90
e905
e99
e990
e995
e9a1
e9ad
ea
ea1e
ea5
ea57
ea5e
ea7
ea75
ead5
ebb
ebb5
ec
ec0
ec01
ec05
ec0d
ec9
ec95
ecad
ecc0
ecc1
ecce
ed
ed0
ed05
ed17
ed5
ed7
ed7a
ed9e
edb
edd0
edda
ede
ee
ee0
ee0c
ee1
ee15
ee9
ee95
eec
eec5
ef
ef1
ef5
ef7
ef75
ef7a
eff
eff5
f
f0
f00
f001
f005
f007
f00d
f01
f011
f01a
f01d
f055
f09
f095
f0a1
f0b
f0b5
f0e
f0e5
f0f1
f1
f10
f105
f109
f10c
f10e
f11
f110
f111
f115
f117
f11a
f11c
f11e
f12
f122
f157
f15c
f17
f175
f177
f19
f190
f195
f1a
f1a7
f1a9
f1ab
f1b
f1b5
f1c0
f1ca
f1ce
f1d
f1d0
f1d5
f1de
f1e
f1e5
f1ea
f1ed
f1ee
f1ef
f1f0
f1fe
f5
f5f
f7
f75
f7c
fa
fa0
fa05
fa11
fa1a
fa2e
fa5
fa57
fa7
fa75
fa7e
fa9
fa95
faa
fab
fab5
fac
fac7
face
fad
fad0
fad5
fade
faff
fb1
fb15
fca
fcc
fd
fd1c
fda
fe
fe0d
fe11
fe15
fe17
fe2
fe25
fe5
fe55
fe57
fe7
fe75
fe7a
fe7e
fe95
fea1
fea7
feb
feb5
fec
fed
fed5
fee
fee1
fee5
fee7
feeb
feed
ff

Of course, some words can be hard to read (200 = zoo), but this is really just for fun, so who cares?!

Here is a simple little bash script that will take any word list as input and create a list of valid IPv6 words for you. Enjoy!

#!/bin/bash

VERSION=0.6
TMPOUT1=/tmp/ipv6words1
TMPOUT2=/tmp/ipv6words2

if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
        echo
        echo "Make IPv6 Word List version $VERSION"
        echo "Copyright 2013 Sophiedogg.com"
        echo "This script may be freely used and distrubuted, so long as credit"
        echo "to the original author remains in place."
        echo
        echo "Usage: $0 [wordlist]"
        echo
        echo "This script will make a list of IPv6 words from the input file."
        echo "An output file will be created in the same location as the"
        echo "original file, with the extension .ipv6words."
        echo
        echo "Options:"
        echo "  -h, --help                 display this help message"
        echo
elif [ ! $1 ]; then
        echo
        echo "You must specify a word list to start from."
        echo
        echo "Usage: $0 [wordlist]"
        echo
else
        if [ ! -e $1 ]; then
                echo
                echo "File $1 does not exist"
                echo
        else
                echo
                grep -iv 'h\|j\|k\|m\|n\|p\|q\|r\|u\|v\|w\|x\|y' $1 > $TMPOUT1

                perl -pi -e 's/\xC0/A/g' $TMPOUT1
                perl -pi -e 's/\xC1/A/g' $TMPOUT1
                perl -pi -e 's/\xC2/A/g' $TMPOUT1
                perl -pi -e 's/\xC3/A/g' $TMPOUT1
                perl -pi -e 's/\xC4/A/g' $TMPOUT1
                perl -pi -e 's/\xC5/A/g' $TMPOUT1
                perl -pi -e 's/\xC6/AE/g' $TMPOUT1
                perl -pi -e 's/\xC7/C/g' $TMPOUT1
                perl -pi -e 's/\xC8/E/g' $TMPOUT1
                perl -pi -e 's/\xC9/E/g' $TMPOUT1
                perl -pi -e 's/\xCA/E/g' $TMPOUT1
                perl -pi -e 's/\xCB/E/g' $TMPOUT1
                perl -pi -e 's/\xCC/I/g' $TMPOUT1
                perl -pi -e 's/\xCD/I/g' $TMPOUT1
                perl -pi -e 's/\xCE/I/g' $TMPOUT1
                perl -pi -e 's/\xCF/I/g' $TMPOUT1
                perl -pi -e 's/\xD0/D/g' $TMPOUT1
                perl -pi -e 's/\xD1/N/g' $TMPOUT1
                perl -pi -e 's/\xD2/O/g' $TMPOUT1
                perl -pi -e 's/\xD3/O/g' $TMPOUT1
                perl -pi -e 's/\xD4/O/g' $TMPOUT1
                perl -pi -e 's/\xD5/O/g' $TMPOUT1
                perl -pi -e 's/\xD6/O/g' $TMPOUT1
                perl -pi -e 's/\xD8/O/g' $TMPOUT1
                perl -pi -e 's/\xD9/U/g' $TMPOUT1
                perl -pi -e 's/\xDA/U/g' $TMPOUT1
                perl -pi -e 's/\xDB/U/g' $TMPOUT1
                perl -pi -e 's/\xDC/U/g' $TMPOUT1
                perl -pi -e 's/\xDD/Y/g' $TMPOUT1
                perl -pi -e 's/\xDF/B/g' $TMPOUT1
                perl -pi -e 's/\xE0/a/g' $TMPOUT1
                perl -pi -e 's/\xE1/a/g' $TMPOUT1
                perl -pi -e 's/\xE2/a/g' $TMPOUT1
                perl -pi -e 's/\xE3/a/g' $TMPOUT1
                perl -pi -e 's/\xE4/a/g' $TMPOUT1
                perl -pi -e 's/\xE5/a/g' $TMPOUT1
                perl -pi -e 's/\xE6/ae/g' $TMPOUT1
                perl -pi -e 's/\xE7/c/g' $TMPOUT1
                perl -pi -e 's/\xE8/e/g' $TMPOUT1
                perl -pi -e 's/\xE9/e/g' $TMPOUT1
                perl -pi -e 's/\xEA/e/g' $TMPOUT1
                perl -pi -e 's/\xEB/e/g' $TMPOUT1
                perl -pi -e 's/\xEC/i/g' $TMPOUT1
                perl -pi -e 's/\xED/i/g' $TMPOUT1
                perl -pi -e 's/\xEE/i/g' $TMPOUT1
                perl -pi -e 's/\xEF/i/g' $TMPOUT1
                perl -pi -e 's/\xF0/o/g' $TMPOUT1
                perl -pi -e 's/\xF1/n/g' $TMPOUT1
                perl -pi -e 's/\xF2/o/g' $TMPOUT1
                perl -pi -e 's/\xF3/o/g' $TMPOUT1
                perl -pi -e 's/\xF4/o/g' $TMPOUT1
                perl -pi -e 's/\xF5/o/g' $TMPOUT1
                perl -pi -e 's/\xF6/o/g' $TMPOUT1
                perl -pi -e 's/\xF8/o/g' $TMPOUT1
                perl -pi -e 's/\xF9/u/g' $TMPOUT1
                perl -pi -e 's/\xFA/u/g' $TMPOUT1
                perl -pi -e 's/\xFB/u/g' $TMPOUT1
                perl -pi -e 's/\xFC/u/g' $TMPOUT1
                perl -pi -e 's/\xFD/y/g' $TMPOUT1
                perl -pi -e 's/\xFF/y/g' $TMPOUT1

                grep -E '^[[:alpha:]]{4}$' $TMPOUT1 > $TMPOUT2
                grep -E '^[[:alpha:]]{3}$' $TMPOUT1 >> $TMPOUT2
                grep -E '^[[:alpha:]]{2}$' $TMPOUT1 >> $TMPOUT2
                grep -E '^[[:alpha:]]{1}$' $TMPOUT1 >> $TMPOUT2

                tr '[A-Z]' '[a-z]' < $TMPOUT2 > $TMPOUT1

                grep -v ^o $TMPOUT1 > $TMPOUT2

                sort -u $TMPOUT2 > $TMPOUT1

                sed -i 's/o/0/g' $TMPOUT1
                sed -i 's/i/1/g' $TMPOUT1
                sed -i 's/l/1/g' $TMPOUT1
                sed -i 's/z/2/g' $TMPOUT1
                sed -i 's/s/5/g' $TMPOUT1
                sed -i 's/t/7/g' $TMPOUT1
                sed -i 's/g/9/g' $TMPOUT1

                sort -u $TMPOUT1 > $TMPOUT2
                rm -rf $TMPOUT1
                mv $TMPOUT2 $1.ipv6words

                echo "Output written to $1.ipv6words"

                echo
        fi
fi

First, go to Google and run some bandwidth tests in order to get a good idea of your actual line speed. Take note of your maximum upload and download speeds. On my home network, I measured around 23Mbit down and 1Mbit up. Write these numbers down and save them for later…

Next, make sure that you have the iproute package installed, to install the necessary prerequisite programs.

# yum install iproute

Now we can download the necessary htb.init script and examples to get us started. The htb.init script can be downloaded from here. Stick this script in your /etc/init.d/ directory. Next, download the example files and put them into the /etc/sysconfig/htb/ directory. Below are the commands I ran…

# wget http://sourceforge.net/projects/htbinit/files/HTB.init/0.8.5/htb.init-v0.8.5/download
# mv htb.init-v0.8.5 /etc/init.d/htb.init
# chmod 755 /etc/init.d/htb.init
# wget http://downloads.sourceforge.net/project/htbinit/Examples/LARTC/htb-lartc.tar.gz
# mkdir htb
# tar zxf htb-lartc.tar.gz -C ./htb
# mv ./htb /etc/sysconfig/

Now, one other set of commands I want to run, to slightly change the names of the htb files to fit my needs. I am only going to have two classes of traffic, plus the default. I want to make sure my www and ssh connections each have a separate allocated bucket of bandwidth, and everything else can share the default bucket. The commands below will rename the htb configuration files to match. Please note that we are using the eth0 device in this example, since it is our internet connection.

# cd /etc/sysconfig/htb
# mv eth0-2\:10.www eth0-2\:10.ssh
# mv eth0-2\:20.smtp eth0-2\:20.www

Ok! Now that we have the init script in place, and the rules files in place, we can actually start some bandwidth shaping!

You will notice in the /etc/sysconfig/htb/ folder that there are a number of different files, with some slightly different names. The first file we’ll look at, eth0, is just to specify what device we are working with. Inside this file are lines setting the default rule (the one used when no others match), and our R2Q. Note that the rate divided by R2Q gives us our quantum, which is the amount of bandwidth given to one class before servicing another class. The faster your available network connection, the larger your quantum can be. I’m using a r2q of 100, however you can always adjust this value depending on your needs and bandwidth speed. Below are the contents of the eth0 file:

# eth0 device
DEFAULT=99
R2Q=100

Next, the eth0-2.root file. This specifies the default rate, ceiling rate, and burst speed. The default rate is the minimum rate for the class (device eth0 in this case). The ceiling rate is the maximum rate for the class. Finally, the burst rate is the maximum amount of bandwidth that can be sent through the hardware without moving on to service another class. Below are the contents of the eth0-2.root file:

# root class containing total bandwidth
RATE=20Mbit
CEIL=20Mbit
BURST=1Mbit

Notice here that we are setting the rates at 20Mbit, which is below our maximum tested rate of 23Mbit. By setting our rate lower than the actual link rate, we limit the buffering done by any network equipment beyond our router (like the cable/DSL modem). This will decrease our lag time by keeping any traffic buffers on our faster equipment. I will gladly sacrifice a small amount of total speed for lower latency.

Finally, we have our rules files. I set my ssh traffic to be given a minimum of 128Kbit, and a maximum of 20Mbit. This traffic also has the highest priority, in order to increase the availability of bandwidth to ssh traffic. A similar setup is done for the www traffic, and the default traffic. Below are the three files defining these classes…

eth0-2:10.ssh

# class for SSH traffic
RATE=128Kbit
CEIL=20Mbit
PRIO=1
RULE=*:22,
RULE=*:22
LEAF=sfq

eth0-2:20.www

# class for WWW traffic
RATE=128Kbit
CEIL=20Mbit
PRIO=2
RULE=*:80,
RULE=*:443,
RULE=*:8008,
RULE=*:8080,
RULE=*:80
RULE=*:443
RULE=*:8008
RULE=*:8080
LEAF=sfq

eth0-2:99.dfl

# class for all other traffic
RATE=128Kbit
CEIL=20Mbit
PRIO=7
LEAF=sfq

Now, lets take a look at the RULE= lines from the eth0-2:10.ssh file above.

RULE=*:22,
RULE=*:22

Rules are specified with the pattern RULE=[[saddr[/prefix]][:port[/mask]],][daddr[/prefix]][:port[/mask]], so the first line, RULE=*:22, will match all traffic with a source port of 22. The second line, RULE=*:22 matches any traffic with a destination of port 22. We do the same thing with the appropriate port numbers for our www class in order to shape our www traffic. There are many options here, since this is where we control what traffic matches which class; you can specify traffic by source port, destination port, source IP, destination IP, or a combination of them! Take a look at the links below for some more examples. Finally, the default rule will apply to any traffic which does not match our first two rules.

The image below illustrates the hierarchy within this specific setup.

Now, in order to start using the rules and make them persistent on every reboot, we will add the htb.init service to the system, set it to start on boot, and turn it on right now! The commands below will do this for us:

# chkconfig --add htb.init
# chkconfig htb.init on
# service htb.init start

If you get a warning along the lines of find: warning: you have specified the -maxdepth option after a non-option argument -type, but options are not positional then you will need to uncomment the following line in your /etc/init.d/htb.init script:

HTB_BASIC="yes"

Using this simple HTB QoS setup, we can provide network bandwidth control to our small home network, preventing any one dogg from hogging all the internets! This setup will also scale fairly well to much larger installations.

Take a look at the htb.init-v0.8.5 we downloaded earlier for some more rule examples, as well as explainations of the configuration options.

Also check out the following websites for some more information on HTB QoS network traffic control.
HTB Linux queuing discipline manual – user guide
Linux Advanced Routing & Traffic Control HOWTO

First, you will want to install Fail2ban, so head over to Fail2Ban.org and follow their instructions for installing on your distribution. On CentOS or RedHat, you will need to first install the EPEL repository. After doing so, fail2ban can be installed with the yum command yum install fail2ban. That takes care of the installation!

Once you have Fail2Ban installed, you can start configuring it! One of the problems that I run into with Fail2Ban is that it will try to load all the firewall rules too fast, resulting in errors like this:
iptables -I INPUT -p all -j fail2ban-w00tw00t returned 400
You may also get some 100 or 200 errors as well. Well, the fix for this is easy enough (and hopefully it will be incorporated into upcoming versions; as of version 0.8.4 is is not). Simply edit the file /usr/bin/fail2ban-client and add the line time.sleep(0.1) into the __processCmd function. This is added around line #145. The first few lines of the function should look like this:

def __processCmd(self, cmd, showRet = True):
    beautifier = Beautifier()
    for c in cmd:
        time.sleep(0.1)
        beautifier.setInputCmd(c)
        try:

So, now that we have a working Fail2Ban setup, we can start configuring some rules!

First, take a look at /etc/fail2ban/fail2ban.conf. This lets us specify some log options. The only one that I am really concerned about is the logtarget, which I like to set to /var/log/fail2ban.log.

Next, let us look at the /etc/fail2ban/jail.conf file. Here you will want to configure your list of ignore IP’s, which should include localhost, and your trusted machine(s) or subnet (ex: ignoreip = 127.0.0.1 192.168.0.0/24 8.8.8.8). You can also adjust the bantime, findtime, and maxretry options, all of which are explained within the file.

Next you can pick what jails to run, and override any global settings with specific settings set here. Spend some time reading through the different jail configurations to get an idea for how to set yours up. I’m always a little more paranoid about security; I don’t want any cats in my dogghouse, so I will usually completely ban any user that fits one of my rules. You could optionally just ban them from using the service they are attempting to exploit, if you wish.

Lets take a look at a jail configuration that I wrote myself.

[dns-root]
enabled  = true
filter   = dns-root
action   = iptables-allports[name=DNS-ROOT]
           sendmail-whois[name=dns-root, dest=jerp@herpandderp.com, sender=fail2ban@myserver.com]
logpath  = /var/named/chroot/var/log/bind.log
maxretry = 2
bantime  = 86400

One of my nameservers was getting a large number of NS lookup requests for the root domains. Well, our server isn’t authoritative for the root zone, so we respond with a REFUSED notice, however this didn’t keep the requests from coming. At first I thought that it was some sort of lame DOS attack against one of my nameservers, but after investigation I found that this was likely a Root DNS Amplification Attack against Facebook! I would get approximately one request per minute for the root NS records, sending out one REFUSED response per minute to an IP address owned by Facebook. In order to combat these annoyances, I created the [dns-root] jail for Fail2Ban.

Lets take a look at what each setting in this jail does. First, the enabled line dictates whether or not the jail is active. Next, the filter line specifies the name of the filter that will be used to match undesired behavior. The action line in this case says to run the iptables-allports action, inserting an iptables rule into the chain named DNS-ROOT, which will drop traffic from the banned host on all ports. Optionally, you can select to only have specific ports dropped, instead of banning the host from your entire server. The sendmail-whois line lets us send an email, with whois inforation about the banned host, to whoever you like. Finally the logpath specifies the actual log to be checked against, and the maxretry along with the bantime values will override the global variables you specified earlier in that file.

Next, take a look at the matching filter. After removing some extra comments, we are left with this:

# Fail2Ban DNS-ROOT configuration file

[Definition]
failregex = ^.* security: info: client #.*: query \(cache\) './(NS|A|AAAA|MX|CNAME)/IN' denied

ignoreregex =

What we have are two variables. The first is failregex, which is a regex formatted statement to match denied root zone lookup lines in our log files. The next variable, ignoreregex, lets us specify something to search for, which will cause a matched line to be ignored. Basically, if the failregex line is matched, the host is banned. If both lines are matched, the host is not banned.

Now, once you have everything configured, you should be able to set the service to start at boot with the chkconfig fail2ban on command, and immediately make the service start with the service fail2ban start command.

Now you can finally have some piece of mind, knowing that those pesky internet cats wont be able to get into your dogghouse and steal your bone!

If you are interested in creating your own rules, check out Regexpal.com for help in writing and debugging regex.

Now, these instructions are for RedHat based distro’s, and were specifically written using CentOS 6. This type of ipv6 tunnel won’t work behind NAT, so your machine must be connected directly to the internet with a public IP address (UPDATE: Thanks to KingKurly for pointing out that you can forward Protocol 41 to enable a tunnel through NAT, if your device supports it). If you are looking for something that will work behind NAT, an AYIYA tunnel from SixXS.net should work over NAT for you, and we’ll cover how to do this in a future article. But, for now, let us continue with our 6in4 ipv6 tunnel from Hurricane Electric.

First, go to Hurricane Electric and get your free tunnel.

Next, open up ping requests from Hurricane Electric. This step is important, as they won’t allocate a tunnel if they can’t ping your machine. I normally don’t respond to ping requests, so I had to use a firewall rule like the one below to allow their pings through.

-A INPUT -p icmp -m icmp -m limit -s 66.220.2.74/32 -i eth0 --icmp-type 8 --limit 1/sec -j ACCEPT

Don’t forget to restart your firewall after making changes, to make sure your changes are active! service iptables restart

Once you have an account you will want to create a regular tunnel. This is basically an IPv4 tunnel between your computer and Hurricane Electric which carries your IPv6 traffic. Enter your IPv4 address as the tunnel’s endpoint address. After entering your IPv4 address, the website will check to make sure that it can ping your machine. If it cannot ping your machine, you will get an error like the one below:

If this happens, go back and check your firewall rules, and make sure that you can ping your machine from the outside. If all else fails, try a more relaxed firewall rule, like this:

-A INPUT -p icmp -m icmp -s 66.220.2.74/32 -j ACCEPT

Or, even more relaxed:

-A INPUT -p icmp -m icmp -j ACCEPT

The first rule accepts all ICMP traffic from 66.220.2.74, while the second accepts all ICMP traffic from everyone.

Once everything is ready, you should see a message like this:

Now, it is time to configure our tunnel! Go to the Tunnel Details page of your tunnel, and start entering information. Give your tunnel a description, which can be anything you want. Then, assign a Routed /48, so we can have a larger block of addresses to play with. Finally, set up your rDNS delegations, by entering your DNS servers in the provided spaces. When you are all done, it should look something like this:

Next, it is time to configure the ipv6 tunnel on our server! We need to create an interface file for our IPv6 tunnel, so create the /etc/sysconfig/network-scripts/ifcfg-sit1 file and put the following in it:

# Hurricane Electric V6V4 ipv6 tunnel
ipv4a=209.51.xxx.xxx          # Server IPv4 Address from configuration above
ipv4b=66.228.xxx.xxx          # Client IPv4 Address from configuration above
ipv6a=2001:db8:xxxx:xxxx::1   # Server IPv6 Address from configuration above
ipv6b=2001:db8:xxxx:xxxx::2   # Client IPv6 Address from configuration above

NAME="Hurricane Electric SIT"
DEVICE=sit1
ONBOOT=yes
USERCTL=yes
BOOTPROTO=none
PEERDNS=no

IPV6INIT=yes
IPV6_AUTOTUNNEL=yes
IPV6ADDR="$ipv6b/64"
IPV6_ROUTER=yes
IPV6_AUTOCONF=no

IPV6_CONTROL_RADVD=yes
IPV6TUNNELIPV4=$ipv4a
IPV6TUNNELIPV4LOCAL=$ipv4b

PHYSDEV=eth0
TYPE=sit
DEVICETYPE=sit
NM_CONTROLLED=no

NETWORKING_IPV6
IPV6_DEFAULTGW=$ipv6a
IPV6_DEFAUTLDEV=sit1

Don’t forget to change the IP addresses at the top of the file to match yours!

Now, all that is left is to assign some IPv6 addresses to our interfaces! In your /etc/sysconfig/network-scripts/ifcfg-eth0 file, you can add a few lines like the following:

#HE.net ipv6 tunnel config
IPV6INIT=yes
IPV6ADDR=2001:db8:xxxx:xxxx::1/64
IPV6ADDR_SECONDARIES="2001:db8:xxxx:xxxx::1/64 2001:db8:xxxx:xxxx::1/64"

Make sure you change the IPv6 addresses to match what you have been given by Hurricane Electric!

After restarting your network (with service network restart), you should be up and running! You can browse to an IPv6 website or try to ping an IPv6 address, to see if your IPv6 setup is working.

Next, you can configure your forward and reverse DNS zones with the necessary records to show off your shiny new IPv6 addresses!

Installation was fairly easy, however the documentation to make it work how I wanted on an RPM based distro was conflicting, spread across multiple sites, and somewhat lacking…

First, we need to add the rpmforge repo, in order to install the prerequesites with yum. Instructions for installing RPMForge can be found at the CentOS RPMForge Howto, but it basically consists of the following:

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Next, we need to install some prerequisite packages:

yum install gcc mplayer ffmpeg mencoder java-1.7.0-openjdk ImageMagick

If you wish to stream web content, you will also want to install vlc:

yum install vlc

If you are having problems installing vlc, because of version conflicts with libupnp, add the line exclude=libupnp to your /etc/yum.repos.d/epel.repo, in the main [epel] section

We will also want to install libzen and libmediainfo for some additional features. You can skip this step if you like, but not all the features will work!

You can get RPM packages for libzen and libmediainfo from the MediaInfo Download Page, just select the appropriate distro and architecture, download the package, then install like this:

wget http://mediaarea.net/download/binary/libzen0/0.4.29/libzen0-0.4.29-1.x86_64.CentOS_6.rpm
rpm -Uvh libzen0-0.4.29-1.x86_64.CentOS_6.rpm
wget http://mediaarea.net/download/binary/libmediainfo0/0.7.64/libmediainfo0-0.7.64-1.x86_64.CentOS_6.rpm
rpm -Uvh libmediainfo0-0.7.64-1.x86_64.CentOS_6.rpm

Finally, we are ready to install ps3mediaserver! Go grab the latest ps3mediaserver package from the ps3mediaserver download page, and extract it somewhere. I like to put it in my /usr/local/share directory so that I can run it as a service in the background or as a non-privileged user.

Next, we will follow Geoff Hodder’s advice and create a symlink from /usr/local/share/pms to the current version of pms, which we can change in the future when upgrading, making the upgrade process easier!

ln -s /usr/local/share/pms-1.90.0 /usr/local/share/pms

Double check the ownership here on the pms-1.90.0 folder. I have mine owned as root:root. The default permissions should be correct. Below are what my folder permissions look like.

lrwxrwxrwx   1 root root   27 Nov 19 21:07 pms -> /usr/local/share/pms-1.90.0
drwx------   5 root root 4.0K Jan 29 07:48 pms-1.90.0

Now go to the directory you just created with the ln command above, (/usr/local/share/pms/ in my case), and edit the file PMS.conf, changing the following settings:

minimized = true
network_interface = br0
folders = /data/movies,/data/music,/data/pics

Optionally, edit the following settings to enable chapters on .mkv files, and disable forced subtitles:

chapter_support = true
mencoder_disablesubs = true

If you are upgrading from a previous version of ps3mediaserver, don’t just copy your old config file. Variable names are often changed, new variables are added, and old ones may be removed. Double check your settings and apply them to the new file!

Obviously you will want to change the folders and network_interface settings to match your setup. The defaults for the rest of the settings should be fine, but take a look through the other settings if you wish.

One additional change was made to the /usr/local/share/pms/renderers/XBOX360.conf file to allow avi streaming to the XBox 360. Find the StreamExtensions= line and avi to the end, so it will look like this:

StreamExtensions=wma,asf,avi

Phew… We’re almost there!

One of the things I specifically wanted was to be able to run this as a service on boot. I also wanted to specify my config file, instead of having it use one from my home folder. In order to do this we are going to edit the /usr/local/share/pms/PMS.sh file. Comment out the DIRNAME=`dirname $CMD` line and add a line like DIRNAME="/usr/local/share/pms/" right below it. Here is what the first few lines of my PMS.sh file look like:

#!/bin/sh

CMD=`readlink -f $0`
#DIRNAME=`dirname $CMD`
DIRNAME="/usr/local/share/pms/"

One more thing that I wanted was the ability to simply run a command from anywhere, as any user, and start the service. I just created a symbolic link in the /usr/local/bin to the PMS.sh script like so:

ln -s /usr/local/share/pms/PMS.sh /usr/local/bin/pms

We must now allow TCP traffic on port 5001 and UDP traffic on port 1900 through our firewall, along with multicast IGMP traffic, to actually let this thing work! Open the appropriate ports with some lines like this in your /etc/sysconfig/iptables file:

-A INPUT -s 10.0.0.0/24 -i br0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.0.0.0/24 -i br0 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i br0 -p igmp -j ACCEPT

You will also need to set the default multicast address route. This can be set in the /etc/sysconfig/network-scripts/route-br0 file, looking like this:

# /etc/sysconfig/network-scripts/route-br0
224.0.0.0/4 dev br0

Make sure to change the source address mask to match your local network addresses, and the interface to match your local network interface. If you have IPv6 running, you should also open those same ports in your /etc/sysconfig/ip6tables firewall:

-A INPUT -p tcp -m tcp -s 2001:1234:5678:abcd::/64 -i br0 -j ACCEPT --dport 5001
-A INPUT -p udp -m udp -s 2001:1234:5678:abcd::/64 -i br0 -j ACCEPT --dport 1900

PLEASE NOTE!!! If you have IPv6 running, you will want to remove the -Djava.net.preferIPv4Stack=true parameter from the last line of the PMS.sh file. More details below…

Again, make sure that your source address mask and interface match your network configuration, and don’t forget to restart your firewalls to apply the new rules!

Now, before we go any further, we can attempt to run the server and make sure that everything is actually working correctly. Just type pms from a command prompt and watch it go!

If everything is working correctly, you will either have the GUI window pop up, or get a message like this:

GUI environment not available
Switching to console mode

or you may get a bunch of debug messages fly by. If there are any errors, double check everything before moving on.

If you are in the console mode, press crtl-c to stop the ps3mediaserver.

Finally, the last thing I want to do is set this thing to run as a service/daemon in the background and start on boot. In order to do this we need a startup script!

Create the /etc/init.d/ps3mediaserver file and put the following in it:

#!/bin/sh
#
# chkconfig: - 91 50
# description: Starts and stops the ps3mediaserver
# version: 0.8
# pidfile: /usr/local/share/pms/ps3mediaserver.pid
# config:  /usr/local/share/pms/PMS.conf

# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 1
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1

PROG_NAME='ps3mediaserver'
PROG_ROOT='/usr/local/share/pms'
PROG_JAR='pms.jar'
PROG_EXEC='PMS.sh'

RETVAL=0

start() {
        KIND="$PROG_NAME"
        echo -n $"Starting $KIND services: "
        cd $PROG_ROOT
        daemon $PROG_ROOT/$PROG_EXEC
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && echo `ps axo pid,args | grep $PROG_JAR | grep -v grep | awk {'print $1'}` > $PROG_ROOT/$PROG_NAME.pid || \
           RETVAL=1
           ps axo pid,args | grep $PROG_JAR | grep -v grep | awk {'print $1'} > $PROG_ROOT/$PROG_NAME.pid
        return $RETVAL
}

stop() {
        KIND="$PROG_NAME"
        echo -n $"Shutting down $KIND services: "
        killproc -p $PROG_ROOT/$PROG_NAME.pid
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $PROG_ROOT/$PROG_NAME.pid
        return $RETVAL
}

restart() {
        stop
        start
}

rhstatus() {
        status -p $PROG_ROOT/$PROG_NAME.pid $PROG_NAME
        return $?
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  status)
        rhstatus
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|status}"
        exit 2
esac
exit $?

One of the last things we need to do is make a small change to the last line of our PMS.sh script, to allow it to run in the background, and log to a file. The last line should look like this (note the difference between IPv4 and IPv6 networks!):
IPv4:

exec "$JAVA" $JAVA_OPTS -Xmx768M -Xss1024k -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djna.nosys=true -classpath "$PMS_JARS" net.pms.PMS "$@" >> /var/log/ps3mediaserver.log 2>> /var/log/ps3mediaserver.log &

IPv6:

exec "$JAVA" $JAVA_OPTS -Xmx768M -Xss1024k -Dfile.encoding=UTF-8 -Djna.nosys=true -classpath "$PMS_JARS" net.pms.PMS "$@" >> /var/log/ps3mediaserver.log 2>> /var/log/ps3mediaserver.log &

I have not been able to get the IPv6 configuration for PS3 Media Server to work reliably on all my devices… If you have any suggestions please let me know!

Finally, install the startup script and set it to run on boot!

cd /etc/init.d
chmod +x ps3mediaserver
chkconfig --add ps3mediaserver
chkconfig --level 345 ps3mediaserver on

Now, we can start the ps3mediaserver and be done!

service ps3mediaserver start
Starting ps3mediaserver services:                          [  OK  ]

Now that we are done, go ahead and get yourself a dogg treat!

Thanks to Geoff Hodder for some good tips left in the comments below. Go check out his page at PHReeK.oRG

Also, thanks to the following webpages for giving me some of the information necessary to get this thing working:
http://www.ps3mediaserver.org/forum/viewtopic.php?f=3&t=4374
https://help.ubuntu.com/community/Ps3MediaServer
http://otmanix.de/english/2009/05/17/java-ps3-media-server-for-dummies-chapter-3-installation-and-basic-configuration/

First, we need to configure radvd to advertise the IPv6 routing on our network, so lets take a look at our radvd configuration.

# RADVD with DHCPd6 configuration
# /etc/radvd.conf
interface br0 {
        AdvManagedFlag on;
        AdvSendAdvert on;
        AdvAutonomous off;
        AdvOtherConfigFlag on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 60;
};

This is a very basic radvd setup, which will just advertise the routing gateway to the network, and nothing more. If we are going to use DHCPd6 to hand out addresses, then this is exactly what we want for our radvd configuration. Make sure to change the interface name in the example to the interface name you will be handing out IPv6 addresses on; I have multiple interfaces bridged for my internal network and use interface br0.

If you want to use radvd to hand out addresses, then just use the following example instead.

# RADVD with no DHCPd6 configuration
# /etc/radvd.conf
interface br0 {
        AdvManagedFlag on;
        AdvSendAdvert on;
        AdvAutonomous on;
        AdvLinkMTU 1480;
        AdvOtherConfigFlag on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 60;
        prefix 2001:0db8:edfa:1234::/64 {
                AdvOnLink on;
                AdvRouterAddr on;
        };
};

Again, make sure to change the interface to your interface name, and change the IPv6 network prefix to your addresses.

Now, to use DHCPd for IPv6, we need a separate configuration and service/daemon to handle the IPv6 addresses, since DHCPd can’t give out both IPv4 and IPv6 addresses at the same time. If you already have a working IPv4 DHCPd setup, you can use a lot of the same configuration values in your DHCPd6 setup. Below is a basic configuration for DHCPd6.

# /etc/dhcp/dhcpd6.conf

ddns-update-style interim;
ddns-updates on;
ddns-domainname "your.domain.com";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
update-conflict-detection false;
update-optimization false;
authoritative;
option domain-name-servers dns.your.domain.com;
default-lease-time 86400;
preferred-lifetime 80000;
allow leasequery;
option dhcp6.name-servers 2001:0db8:edfa:1234::1;
option dhcp6.domain-search "your.domain.com","domain.com";
include "/etc/rndc.key";
option dhcp6.preference 255;

zone a.f.d.e.8.b.d.0.1.0.0.2.ip6.arpa. {
        primary 10.0.0.1;
        key rndckey;
}
zone your.domain.com {
        primary 10.0.0.1;
        key rndckey;
}

subnet6 2001:0db8:edfa:1234::/64 {
        # Range for clients
        range6 2001:0db8:edfa:1234:5678::aaaa 2001:0db8:edfa:1234:5678::ffff;
        # Example of a fixed host address
        host client.your.domain.com {
               host-identifier option dhcp6.client-id 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd;
               fixed-address6 2001:0db8:edfa:1234:5678::1;
        }
}

This configuration will get also give out a fixed address to one of our clients, to ensure that it always gets the same IPv6 addresses from our server. Make sure that you replace the IPv6 addresses, domain names, zone, host, and subnet settings with the correct info for your network.

Notice the line include "/etc/rndc.key";. This is where I keep the key that the DHCP and DNS servers use to allow updates, so we don’t have unknown unauthorized outside sources modifying our DNS records! Below is what my rndc.key file looks like.

# /etc/rndc.key

key "rndckey" {
        algorithm hmac-md5;
        secret "super-secret-key 31337";
};

Finally, we need to make sure that our DNS server is configured to accept updates for our zones.

In our named.conf file, we need our rndc key, controls, and zone info.

key rndckey {
        algorithm hmac-md5;
        secret "super-secret-key 31337";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndckey; };
        inet ::1 port 953 allow { ::1; } keys { rndckey; };
        };


zone "your.domain.com" {
	type master;
	file "/var/named/your.domain.com.hosts";
        notify yes;
        allow-update {
                key rndckey;
        };
};
zone "a.f.d.e.8.b.d.0.1.0.0.2.ip6.arpa" {
	type master;
	file "/var/named/2001:0db8:edfa::_48.rev";
	allow-update {
		key rndckey;
		};
	};

Finally, make sure that you have the correct firewall rules in place to accept DHCPd6 requests! You’re going to need to accept ipv6-icmp traffic, and both TCP and UDP traffic on ports 546 and 547 from the link-local address range fe80::/16 to the all-dhcp-agents link-local multicast group ff02::1:2. Here are some basic ip6tables rule examples for DNS and DHCP via IPv6:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -s fe80::/16 -d ff02::1:2 -i br0 -j ACCEPT --dports 546,547
-A INPUT -p udp -m udp -m multiport -s fe80::/16 -d ff02::1:2 -i br0 -j ACCEPT --dports 546,547

Now, this is a pretty basic setup, but should get you rolling with a working DHCPd6 DDNS setup!

One thing to note, I have found that Android devices (a 2.3 phone and a 3.2 tablet) don’t like to get IPv6 addresses from our DHCPd6 server; however everything else on the network (including other wifi devices) will correctly get addresses from the DHCPd6 server. Android devices will however get stateless autoconfiguration addresses from a radvd standalone setup. Perhaps this is a misconfiguration on my part, or an incompatibility in the Android OS; if you have any idea please let me know! Arf!

If you take a look at the image above, you can see how data flows through a typical Linux firewall. Since we are currently only concerned with traffic destined for our Linux box, all data flows through the “Yes” side of the “Data for the firewall?” question. In the future we will look at the other side when we configure a Linux router.

Let’s start with a description of what we are doing, and then I’ll show what it looks like. Within IPTables there are different tables and chains, which are referenced in the picture above. We want to look primarily at the Input chain in the Filter table. The first thing we are going to do is create a new chain at the top of our input chain, which will accept all predetermined traffic that we know will always be safe. This is data such as related or established traffic, traffic on the local loopback interface, and if you are running a DHCP server on your Linux machine, you would also want to accept UDP traffic on port 67. DHCP requests come from source address 0.0.0.0, which we will be blocking later, so we need to accept it now!

After we accept this traffic, we want to block all traffic that we know is bad. This is traffic from non-existent networks (bogons), traffic with bad TCP flags, and anything else you specifically want to keep out. We will create two chains for this; one to list the traffic to be blocked, and another to block and optionally log the traffic. If you don’t wish to log the traffic, you can simply stick with one chain that will only block the undesired traffic.

Finally we can create another chain to accept traffic that we want to let in. This can be access to a SSH server, DNS server, web server, or anything else you want! After all of these chains, we can also optionally log any traffic that made it this far, before dropping it into oblivion.

Here is what the INPUT table looks like:

-A INPUT -j Firewall-1-INPUT
-A INPUT -j Firewall-1-DROP
-A INPUT -j Firewall-2-INPUT
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "[INPUT] "

Here the data comes in to the Firewall-1-INPUT chain first. If it is not accepted (or blocked) by this chain, it then moves on to the Firewall-1-DROP chain. If the data makes it past that chain it goes on to the Firewall-2-INPUT chain, and finally if it makes it the whole way through without getting accepted or blocked, it will be logged before performing the default policy, which in our case is to drop the traffic so it can’t come in.

The Firewall-1-INPUT chain looks like this:

-A Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A Firewall-1-INPUT -i lo -j ACCEPT
-A Firewall-1-INPUT -p udp -m udp --dport 67 -j ACCEPT

The first line accepts any related or established traffic. The second line accepts any traffic on the local loopback interface, and the third line accepts DHCP address request traffic on UDP port 67. If you are not running a DHCP server, then you won’t need that last line.

Next we move on to the Firewall-1-DROP chain, which drops any specifically unwanted traffic.

-A Firewall-1-DROP -f -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp ! --syn -m state --state NEW -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,ACK FIN -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags PSH,ACK PSH -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags ACK,URG URG -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j Firewall-2-DROP
-A Firewall-1-DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j Firewall-2-DROP

-A Firewall-1-DROP -s 0.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -d 0.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -s 10.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -d 10.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -s 127.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -d 127.0.0.0/8 -j Firewall-2-DROP
-A Firewall-1-DROP -s 169.254.0.0/16 -j Firewall-2-DROP
-A Firewall-1-DROP -d 169.254.0.0/16 -j Firewall-2-DROP
-A Firewall-1-DROP -s 172.16.0.0/12 -j Firewall-2-DROP
-A Firewall-1-DROP -d 172.16.0.0/12 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.0.0.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.0.0.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.0.2.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.0.2.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.1.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.1.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.2.0/23 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.2.0/23 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.4.0/22 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.4.0/22 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.8.0/21 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.8.0/21 -j Firewall-2-DROP
-A Firewall-1-DROP -s 162.168.16.0/20 -j Firewall-2-DROP
-A Firewall-1-DROP -d 162.168.16.0/20 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.32.0/19 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.32.0/19 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.64.0/18 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.64.0/18 -j Firewall-2-DROP
-A Firewall-1-DROP -s 192.168.128.0/17 -j Firewall-2-DROP
-A Firewall-1-DROP -d 192.168.128.0/17 -j Firewall-2-DROP
-A Firewall-1-DROP -s 198.18.0.0/15 -j Firewall-2-DROP
-A Firewall-1-DROP -d 198.18.0.0/15 -j Firewall-2-DROP
-A Firewall-1-DROP -s 198.51.100.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -d 198.51.100.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -s 203.0.113.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -d 203.0.113.0/24 -j Firewall-2-DROP
-A Firewall-1-DROP -s 224.0.0.0/3 -j Firewall-2-DROP
-A Firewall-1-DROP -d 224.0.0.0/3 -j Firewall-2-DROP

The first set of lines blocks any incoming packets with fragments, new connections that aren’t SYN packets, and packets with invalid TCP connection flags. This will help to prevent syn flood attacks on your machine. The second set of lines blocks traffic coming from (-s) or going to (-d) addresses in the bogon list, which helps prevent spoof attacks. It is important to note here that if your machine is on a private network using non-routable IP addresses, then you must remove the lines from the list above that correspond to your LAN IP addresses. In the above example, traffic on the 192.168.0.x network is allowed, while all other traffic beginning with 192.168.x.x is blocked. We will continue using this network in the rest of the examples.

If any traffic is caught by these rules, it is then sent to the Firewall-2-DROP chain, which will log the packet then drop it. The Firewall-2-DROP chain will limit the amount of logging (to keep from filling our logs), and will also prefix the log so we know where the traffic was blocked. Below are the lines from the Firewall-2-DROP chain:

-A Firewall-2-DROP -m limit --limit 1/sec -j LOG --log-prefix "[INFW2] "
-A Firewall-2-DROP -j DROP

Finally, if the traffic has made it this far and hasn’t been accepted or dropped yet, we can move on to the accept chain.

-A Firewall-2-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A Firewall-2-INPUT -p icmp -m icmp -m limit -s 192.168.0.0/24 --icmp-type 8 --limit 1/sec -j ACCEPT
-A Firewall-2-INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,53,80,443
-A Firewall-2-INPUT -p tcp -m tcp -m multiport -s 192.168.0.0/24 -j ACCEPT --dports 5000:5999
-A Firewall-2-INPUT -p udp -m udp -m multiport -s 192.168.0.0/24 -j ACCEPT --dports 69,70,71

The first line will accept DNS lookup traffic from anyone (UDP port 53). If you don’t run a DNS server, you won’t need this line. The second line accepts icmp-type 8 traffic (ping request) from the local LAN. This means that your machine will respond to ping requests from clients on the LAN, but not from clients on the internet. The third line accepts TCP traffic on ports 22, 53, 80, and 443 (SSH, DNS, HTTP, and HTTPS respectively); again, if you’re not running these services then you don’t need these ports open. The fourth line accepts traffic on ports 5000-5999; this is just an example to show how to open a range of ports. The fifth line shows us accepting UDP traffic on ports 69, 70, and 71. And finally, the last line will log any traffic that has made it this far, again limiting the amount of logs written to keep from flooding the log files, and prefixing the log lines so we know where it came from.

We also must have the default rule for our input chain, to determine what happens when traffic makes it all the way to the end of our rule list. Here is our default input rule, to drop the traffic:

:INPUT DROP [0:0]

Hopefully this will help you to create a more advanced Linux firewall to fit your needs. Sometime in the future I will show you how to use your Linux box as a router, to handle NAT and routing with your firewall. For now, I’m going to go take a nap; it’s hard being a dogg!