Skip to content

Linux box as an IPv6 router with SLAAC and DHCPv6-PD

Linux box as an IPv6 router with SLAAC and DHCPv6-PD published on No Comments on Linux box as an IPv6 router with SLAAC and DHCPv6-PD

Some time ago I replaced my Mikrotik router with linux box which is working as a router for my home network and as a server for some services.
I had to spend some time to set up IPv6 on linux in such way, that everything was working automatically and without need to configuring anything in statically way. This post will be only about IPv6 part of router configurations.
I omit IPv4 part and configurations of network interfaces, because it is well documented in internet.

My router is running on linux openSUSE leap 42.2. The configurations are the same for other distros but file paths of config files may be different.
eth0 – wan interface of the router
eth1 – lan interface of the router
To make the router working, I had to:

  • change some sysctls to obtain IPv6 address on wan interface of my router by Stateless autoconfiguration (SLAAC).
  • I used wide-dhcpv6-client client to obtain IPv6 adresses pool (DHCPv6-PD) to redistribute addresses from pool on my devices in home network.
  • Redistributing addresses is done by dnsmasq.

First step – sysctls:
Part of my /etc/sysctl.conf confgured to obtain IPv6 address from Stateless autoconfiguration (SLAAC) on wan interface – eth0:

After reboot I can see that my wan interface has public IPv6 address:

Second step – wide-dhcpv6-client:
Configuration of wide-dhcpv6-client which will be obtaining IPv6 address pool (DHCPv6-PD) for lan interface (eth1)

Unfortunately package of wide-dhcpv6-client does not provide configuration file for systemd. To start up wide-dhcpv6-client by systemd I created wide-dhcpv6.service entry:

Enable it on system startup:

After reboot I can see that my lan interface (eth1) has assignment IPv6 address with prefix:

Last step – dnsmasq:
Part of configuration of dnsmasq (/etc/dnsmasq.conf) to redistributing IPv6 addresses in home network. Dnsmasq will also work as dns cache. :

Enable dnsmasq on system startup:

After reboot, devices in home network should be able to use internet by IPv6 🙂

But now, devices in home network are avaible from outside. Each of device has own public IPv6 address which is awailable from outside (internet).
We have to secure it, by allowing only for connections which are initialized from our internal network. It can be done by ip6tables.

It’s all, described configuration works flawlessly for me for days 🙂

Securing ssh by iptables rules

Securing ssh by iptables rules published on 3 Comments on Securing ssh by iptables rules

I secured my ssh server in simple way – with iptables rules which will be blocking attackers. I setup my iptables in such way, that it is allowing only one tcp syn packet to ssh port per minute from one ip address. With aditional configuration of sshd daemon the rules will allowing for once login attempt per minute.
iptables rules:

Another example with this iptables rules:

We allows up to three connections per hour. After we reaches this three connections per hour, the hashlimit-htable-expire rule starts to counting 10 minutes (600000ms). In this time you can not connect again to ssh.

/etc/ssh/sshd_config – this is important, with this, sshd will be closing ssh connections after authentication failure, thus attacker will have to create new ssh connection (and tcp connection) to try again. This fact (new syn packet) will by noticed by iptables

You can check the blocked addresses:

This rules very limited strength of attacks on my ssh.

Please test this first with another server access!

NanoPi NEO as remote SDR server for RTL2832u

NanoPi NEO as remote SDR server for RTL2832u published on No Comments on NanoPi NEO as remote SDR server for RTL2832u

Today I will show how to make remote SDR radio server for RTL2832u dongle with very small and cheap device such as NanoPi NEO.

The main purpose of this is that I want place the NanoPI with RTL dongle and antenna attached to it on remote location – on high building 250 meters far away from my home. I have wireless bridge connecting my home with this place.

Notice: Wireless have to be able to send about 16Mb/s of tcp trafic from NanoPi to PC. 

On NanoPi I installed Armian Linux. After that I was set up rtl_tcp server:
900001 – this is lowest sample-rate which can be used, I used lowest because my wireless bridge wasn’t able to pass more traffic.

The next step was to setup and start gqrx on my home computer:
Notice: Input rate must be the same as set on rtl_tcp server. – this is IP address of my NanoPi.

And now, we can hear everything around us 🙂

Esp8266 – log temperature readings from DS18B20 and wifi signal strength to graphite grafana

Esp8266 – log temperature readings from DS18B20 and wifi signal strength to graphite grafana published on No Comments on Esp8266 – log temperature readings from DS18B20 and wifi signal strength to graphite grafana

Recently I bought esp8266 (NodeMcu) – it is a low cost device with wifi chip, that can be programmed by Arduino IDE or Lua script language.

My first idea for this device is to draw graphs of temperature readings from ds18b20 sensor and signal strength on wifi connection for each SSID with which the device can connect. For logging I have raspberry pi configured with graphite server and Grafana. To log something on graphite server the esp8266 have to send UDP packet with string containg: metric name, metric value, timestamp. Bellow expample of such strings:

Charts in Grafana:
And the code doing this looks as follows:

Libaries used in this code: