Tunnelling IPv4/IPv6
Configured tunnels
FreeBSD supports configured tunnels with the gif tunnel-interface. Setting up a manual tunnel requires several steps on the command line.
Beforehand, you need the following information:
- $host-ipv4
- IPv4-address of the host
- $router-ipv4
- IPv4-address of the router/tunnel-server
- $tunnel-v6host
- (Tunnel) IPv6-address of the host
- $tunnel-v6router
- (Tunnel) IPv6-address of the router
Create the interface:
ifconfig gif0 create
Set up the IPv4-endpoints of the tunnel:
ifconfig gif0 tunnel $host-ipv4 $router-ipv4
Set up the IPv6-endpoints of the tunnel:
ifconfig gif0 inet6 alias $tunnel-v6host $tunnel-v6router prefixlen 128
Set the (IPv6) default route on the tunnel:
route add -inet6 default -interface gif0
6to4
FreeBSD supports automatic 6to4-tunnelling with the stf tunnel-interface. Setting up a 6to4 tunnel requires several steps on the command line.
Beforehand, you need the following information:
- $6to4
- 6to4/IPv6-prefix of the host (see 6to4 Details: Creating the prefix for instructions).
Create the interface:
ifconfig stf0 create
Set up the 6to4/IPv6-endpoint of the tunnel:
ifconfig stf0 inet6 $6to4 prefixlen 16 alias
Set the (IPv6) default route on the public 6to4 anycast address:
route add -inet6 default 2002:c058:6301::
SSH Tunnel有三种,分别是本地Local(ssh -NfL),远程Remote(ssh -NfR),动态Dynamic(ssh -NfD)。(含义参考man ssh)
说明:在我们举例说明用法之前,先假设你有一台机器,它的IP是a.b.c.d。
1:本地Local(ssh -NfL)
ssh -NfL a.b.c.d:1234:www.google.com:80 a.b.c.d
此时,在浏览器里键入:http://a.b.c.d:1234,就会看到Google的页面了。
在绑定1234端口的时候,可以省略前面的ip,如此一来,1234端口就仅仅绑定在localhost地址上,更安全:
ssh -NfL 1234:www.google.com:80 a.b.c.d
此时浏览的话就要在a.b.c.d机器上使用http://localhost:1234了。
何时使用本地Tunnel?
比如说你在本地访问不了某个网络服务(如www.google.com),而有一台机器(如:a.b.c.d)可以,那么你就可以通过这台机器来访问。
2:远程Remote(ssh -NfR)
ssh -NfR 1234:localhost:22 a.b.c.d
接着转到a.b.c.d机器,使用如下命令:
ssh -p 1234 localhost
需要注意的是上下两个命令里的localhost不是同一台。这时你会发现自己已经连上最开始命令里的localhost机器了,也就是执行”ssh -NfR”的那台机器。
何时使用远程Tunnel?
比如当你下班回家后就访问不了公司内网的机器了,遇到这种情况可以事先在公司内网的机器上执行远程Tunnel,连上一台公司外网的机器,等你下班回家后就可以通过公司外网的机器去访问公司内网的机器了。
3:动态Dynamic(ssh -NfD)
ssh -NfD 1234 a.b.c.d
如此一来就建立了一台Socket代理机器,接着在浏览器上设置Socket代理:地址是localhost,端口是1234,从此以后,你的访问都是加密的了!你可以通过访问WhatIsMyIP来确认自己现在的IP,看看是不是已经变成a.b.c.d了。
测试阶段,也可以把端口绑定在外网地址上,如此一来,你在浏览器上就可以使用外网地址设置Socket代理,但这仅限于测试,否则,你的机器就不安全了,随时可能成为肉鸡。对于Windows用户来说,如果讨厌命令行,还可以使用MyEnTunnel来实现同样的功能,配合Firefox的 FoxyPorxy,基本就无敌了,至于具体的配置方法,小崔已经写好了:使用Firefox+foxyProxy+SSH翻山越岭。如果你使用的是Chrome的话,则可以选择 Proxy Switchy!来实现同样的效果,恕不多言。
ISATAP和6to4都是目前比较流行的自动建立隧道的过渡技术,都可以连接被IPv4隔绝的IPv6孤岛,都是通过将IPv4地址嵌入到 IPv6地址当中,并将IPv6封包封装在IPv4中传送,在主机相互通信中抽出IPv4地址建立tunnel。但具体实现的流程,IPv6地址和应用范围不尽相同。
ISATAP(draft-ietf-ngtrans-isatap-23.txt) 的全名是 Intra-Site Automatic Tunnel Addressing Protocol,它将IPv4地址夹入IPv6地址中,当两台 ISATAP 主机通讯时,可自动抽取出 IPv4 地址建立 Tunnel 即可通讯,且并不需透过其它特殊网络设备,只要彼此间IPv4网络通畅即可。
双栈主机支持isatap后会自动在该隧道接口上生成本地链路的前缀(fe80::开头)和64位的接口标识符::0:5EFE:X.X.X.X(这里的X.X.X.X是双栈主机的IPv4单播地址),这样就可以和同一子网内其他isatap客户机进行ipv6 通讯了;如果需要和其他网络的isatap客户机或者IPv6网络通信,必须通过ISATAP路由器拿到全球单播地址前缀(2001:, 2002:, 3ffe:开头),通过路由器与其他IPv6主机和网络通信。
ISATAP过渡技术不要求隧道端节点必须具有全球惟一的IPv4地址,只要双栈主机具有IPv4单播地址即可,不管该地址公有的还是私有的都可以。
6to4(RFC3056)机制被定义在站点之间进行IPv6通讯,每个站点必须至少有一台”6to4″路由器作为出入口,使用特需的地址格式,地址前缀为(2002:开头),并将路由器的IPv4地址夹入IPv6地址中,因此位于不同6to4 site内的主机彼此通讯时即可自动抽出IPv4地址在路由器之间建立Tunnel。
透过6to4 router,不同6to4 site内的主机可互相通讯,当需与一般IPv6主机通讯时,则必须过6to4 relay router。6to4 relay router必须同时具备6to4及IPv6接口,同时提供这些接口的封包转送。
6to4需要一个全球合法的IPv4地址,所以对解决IPv4地址短缺没有太大帮助。但它不需要申请IPv6地址,通过它可使站点迅速升级到 IPv6。
NTP Client Configuration
If you want to configure ntp client you need to install the following packages
#apt-get install ntp ntp-simple ntpdate
Configuring NTP client
You need to edit the /etc/ntp.conf file you need to point the following settings to NTP server ip address
Server configuration settings
server 192.168.1.1
Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.
restrict default notrust nomodify nopeer
Localhost configuration
restrict 192.168.1.1
In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.
We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords
restrict 127.0.0.1
Now you need to save and exit the file
run ntpdate command against your server
ntpdate 192.168.1.1
Restart ntp service using the following command
/etc/init.d/ntp restart
If you use the date command to change time, it is worth setting also the hardware clock to the correct time. Otherwise, the time is wrong after the next reboot, since the hardware clock keeps the time when power is turned off. When the clock in the operating system shows the correct time, set the hardware clock like this
#hwclock --systohc
se the ntpq command to see the servers with which you are synchronized
#ntpq
#ntpdc -p