6to4 tunneling with Shorewall can be used to connect your IPv6 network to another IPv6 network over an IPv4 infrastructure
More information on Linux and IPv6 can be found in the Linux IPv6 HOWTO. Details on how to setup a 6to4 tunnels are described in the section Setup of 6to4 tunnels.
Suppose that we have the following situation:
We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is accomplished through use of the /etc/shorewall/tunnels file and the "ip" utility for network interface and routing configuration.
Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There is no need to declare a zone to represent the remote IPv6 network. This remote network is not visible on IPv4 interfaces and to iptables. All that is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules need to be defined to handle this traffic.
In /etc/shorewall/tunnels on system A, we need the following:
TYPE ZONE GATEWAY GATEWAY ZONE 6to4 net 134.28.54.2
This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6 encapsulation protocol (41) will be accepted to/from the remote gateway.
Use the following commands to setup system A:
>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2
>ip link set dev tun6to4 up
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2
Similarly, in /etc/shorewall/tunnels on system B we have:
TYPE ZONE GATEWAY GATEWAY ZONE 6to4 net 206.191.148.9
And use the following commands to setup system B:
>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9
>ip link set dev tun6to4 up
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1
On both systems, restart Shorewall and issue the configuration commands as listed above. The systems in both IPv6 subnetworks can now talk to each other using IPv6.
Updated 5/18/2003 - Tom Eastep
Copyright © 2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.