Saturday, November 26, 2011

Fun with SOCKS, IPv6 and SSH

This is fun stuff with both IPv6 and SOCKS. And ... the IPv6 is a side effect of the SOCKS ... ;-)

First some info on SOCKS: I thought SOCKS was just some old-skool proxy protocol on corporate networks. But I learned you can also use SOCKS (in ssh) to prevent spying by ISPs, governments and other third paries. Here's how:

You need an external SSH-server (which hopefully does IPv6). There are service providers that offer SSH-server functionality for 15 US$ per year(!). I got my VPS with SSH server from Hexxeh (http://vps.hexxeh.net/) for 5 US$ per month. A bit more expensive, but I wanted a VPS anyway and Hexxeh provides IPv6 (on request).

Now set up a super simple SOCKS proxy server on your Linux system (in my case Ubuntu):


You then need to fill out your password. If your logon is succesful, the local SOCKS proxy is running on port 1080, with its start point on your Linux machine, and its endpoint on the SSH server. So a loooong SOCKS proxy. ;-)
(Attention: stay logged on. As soon as you logout from the SSH session, the SOCKS proxy is gone.)

Now you can point your SOCKS enabled client to localhost and port 1080. I've done this for the webbrowser Chrome (see screendump), and I could browse the web. And suddenly my location had changed to the UK according to http://whatismyipaddress.com/ . And as Hexxeh provides IPv6 (on request), my IPv6 was working according to http://test-ipv6.com/ "Your IPv6 address on the public Internet appears to be 2001:41d0:2:bb58:...".

As my web traffic now goes through an SSH session, I'm quite sure it's encrypted, and it cannot be eavesdropped by my ISP.

Strangely enough, http://www.bbc.co.uk/iplayer/tv thinks I'm NOT in the UK. Maybe the BBC does blacklist IP addresses from (VPS) hosters ... :-(


EDIT: here is a command to check the SOCKS SSH tunnel:


$ sudo netstat -apon  | grep -i ssh | grep tcp
tcp        0      0 127.0.0.1:1080          0.0.0.0:*               LISTEN      8511/ssh         off (0.00/0/0)
tcp        0      0 192.168.1.53:44824      174.41.66.20:22       ESTABLISHED 8511/ssh         keepalive (5957.97/0/0)
tcp6       0      0 ::1:1080                :::*                    LISTEN      8511/ssh         off (0.00/0/0)
$




HTH


Wednesday, November 16, 2011

IPv6 Fun: "defa:ced"

Funny: Fun with IPv6 addresses ... see http://codingrelic.geekhold.com/2011/04/ipv6-addresses-for-fun-and-profit.html

There are much more options than just dead:beef:f00d !

a110:c8ed I allocated an address, just for you.
defa:ced I hate my web designer.
bad:fac:ade Our CSS needs work.
bad:deed Thank you for visiting my site. Really.
be:fa11 As in "what has befallen yon dead server?"
abba:ca:daba Our network is powered by pure magic.
d00:bee Network debugging probably qualifies as "medicinal purposes."
b0:cce:ba11 You know, I only discovered Bocce Ball in my 30s.
5ca1:ab1e Ignore what you see elsewhere, the secret to scalability is in using clever IP addresses.
ca:b0b yummy
fa1:afe1 even more yummy!
b1ab:bed We might need to tighten up our HTML a bit.
bab:b1e We might need to recompress our images a bit.
ba:b00 My sweet baboo!
10ad:ed I bet it has an itchy trigger finger, too.
ba:11ad The entire site is set in iambic pentameter.
a:100f My site doesn't like me.
acc0:1ade Network admins rarely, if ever, hear praise of their work.
aff:ab1e An address for a social networking site if ever I heard one.
ba:ff1e Don't blame me for the contents of this site. The web team reports to a whole different department from the network admins.
ba1:b0a Its the Eye of the Tiger, baby!
ed1:f1ce Look upon my network, ye Mighty, and despair.
5caf:f01d This load balancing tier was intended to be temporary. That was four years ago. Such is the way of things.




Saturday, October 22, 2011

SABnzbd with Bonjour patch

With a patch, SABnzbd will announce itself via Bonjour. That way, you can find SABnzbd's web interface easily on your LAN. No need to hassle with IP addresses and port numbers.

I've tested this patched SABnzbd on Ubuntu. Here's how to use it:

  1. Make sure the plain SABnzbd is working on your system.
  2. The "SABnzbd Host" under Config -> General should state 0.0.0.0 (or ::) so that SABnzbd listens on the LAN interface
  3. Install an additional library: sudo apt-get install libavahi-compat-libdnssd1
  4. Download the patched SABnzbd 0.6.10 here and unpack it. Go into that directory
  5. Stop the plain SABnzbd if it is running
  6. Start the patched SABnzbd called "SABnzbd-bonjour.py", which you can find in the unpacked directory

SABnzbd should now advertise itself via Bonjour. Install and start avahi-discover to see it. See the included screenshot.

If you want to see Bonjour services from within Chrome/Chromium or Firefox (on any OS), go to http://dnssd.me/ and install the DNSSD extension. This should work on Linux (with Avahi installed), Mac OS X, and Windows (with itunes installed). See the included screenshot for an example.

Some remarks about using this patched SABnzbd on other operating systems:
  • Other Linux versions: it should work after you install the needed libraries for avahi and the avahi-compat stuff
  • Unix versions (for example embedded on NAS devices): it all depends on the libraries
  • Mac OS X: I guess the patched SABnzbd should work if you can get the plain SABnzbd-source-version working. Please give feedback
  • Windows: I have no idea as I don't know how to run SABnzbd from source on Windows. If you're going to try this, first make sure itunes is installed
Feedback welcome in the comments

PS: there's very little IPv6 in this stuff, but it's quite network oriented, so I posted it here.


Saturday, October 15, 2011

Easy NZB-downloading on Ubuntu 11.10 with nzbget via free IPv6-only Newsservers

Ubuntu 11.10 (also known as Oneiric Ocelot) has got the NZB-downloader nzbget in its repositories. Combined with IPv6 based on miredo, and the free IPv6-only Newsservers, downloading NZBs is easy and you don't need a newsserver account. Here's the howto:


Open a terminal and type:

sudo apt-get install nzbget miredo
zcat /usr/share/doc/nzbget/examples/nzbget.conf.example.gz > ~/.nzbget

nzbget -s  -o Server1.Host=weathergirl-ipv6.tele2.net 

The above will start the nzbget daemon.


Then, create a NZB, for example via http://binsearch.info/ and download it. Let's say its name is mynzb.nzb


Finally, open another terminal, add the NZB you want to download to nzbget's queue, for example: 

nzbget -A ~/Downloads/mynzb.nzb

Switch back to the 'daemon'-terminal, and you should see the nzgbet daemon downloading your request. It will end up in ~/download/dst/


If it doesn't work, check that your IPv6 is working; make sure you get an output like this:

ubuntu@ubuntu:~$ ping6 -c4 ipv6.google.com

64 bytes from ey-in-x63.1e100.net: icmp_seq=1 ttl=57 time=115 ms
64 bytes from ey-in-x63.1e100.net: icmp_seq=2 ttl=57 time=25.8 ms
64 bytes from ey-in-x63.1e100.net: icmp_seq=3 ttl=57 time=27.2 ms
64 bytes from ey-in-x63.1e100.net: icmp_seq=4 ttl=57 time=205 ms

--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 25.801/93.545/205.635/74.216 ms
ubuntu@ubuntu:~$

Remarks:
  • Instead of weathergirl-ipv6.tele2.net, you can use the other IPv6-only accountless newsserver: newszilla6.xs4all.nl
  • If you want to use a newsserver that requires an account, use something like "nzbget -s  -o Server1.Host=your.newsserver.com -o Server1.Username=user -o Server1.Password=pass" in the 'daemon'-terminal
  • The plain nzbget does not take care of rar and par. However, there's a postprocessing script somewhere in the intall. EDIT: see /usr/share/doc/nzbget/examples/postprocess-example.* 
  • If you prefer a more GUI-like NZB-downloader, check out SABnzbd: http://sabnzbd.org/
  • Older Ubuntu's haven't got nzbget in the standard repositories. However, there's a PPA: http://ppa.launchpad.net/volkris/ppa/ubuntu/pool/main/n/nzbget/

Happy downloading!


Friday, August 12, 2011

VMware Player blocks Teredo IPv6 on Windows 7

It seems VMware Player blocks Teredo IPv6 on Windows 7:

Teredo IPv6 was working on 'my' Windows 7. However, after installing VMware Player, all IPv6 connectivity was gone: "ipconfig" showed a lot of VMware interfaces, but no Teredo IPv6 anymore.

I'm now removing VMware Player, and immediately the Teredo IPv6 interface pops up again and http://test-ipv6.com/ tells me I have IPv6 connectivty again.


I wonder whether VMware has a good reason to disable/block IPv6, or it's just 'collateral damage' ...  

So for now: bye, bye VMware ... 

BTW: I wonder if VMware Player also blocks native IPv6.



Sunday, July 31, 2011

Cable ISP Ziggo to provide IPv6 in "2012"

Interesting: Dutch Cable ISP "Ziggo" says it's going to provide IPv6 to it's cable customers in mid / end 2012. See https://www.ziggo.nl/#entertainment/nieuws/ziggo/ziggo/0/ziggo-en-het-nieuwe-internetprotocol-ipv6

Quotes:

  • "Vanaf eind 2012 wordt bij bestaande klanten IPv6 toegevoegd. Nieuwe klanten krijgen dan direct IPv6."
  • "Naar verwachting ondersteunt Ziggo medio 2012 het IPv6 protocol voor haar klanten, die een juiste huisinstallatie hebben."



Translation:

  • As of end 2012 existing customer will get IPv6. New customers will then immediately get IPv6
  • Mid 2012 Ziggo will support IPv6 for it's customers that have the correct CPE



Hopefully Ziggo can fulfill this promise.

Sunday, February 27, 2011

Stream your Webcam over IPv6 using VLC

It's quite easy to stream your Webcam over IPv6. Here's the recipe for doing it on Ubuntu Linux:

  1. Make sure VLC is installed ("sudo apt-get install vlc")
  2. Make sure your webcam is connected
  3. Make sure VLC can see your webcam: "vlc v4l2:///dev/video0" should show what your webcam sees.
  4. Now start VLC as a streamer on port 4444 (or choose another free port above 1024) with this one command: 

    cvlc -vvv v4l2:///dev/video0  --sout '#transcode{vcodec=mp4v,acodec=mpga,vb=800,ab=128}:standard{access=http,mux=ogg,dst=[::]:4444}'

  5. Find out the IPv6 address of your streaming machine, for example with ifconfig or via http://test-ipv6.com/ . Let's say it's 2001:888:aaa::1.
  6. Still on the same machine, make sure you can watch the stream locally:

    vlc http://[ip6-localhost]:4444/

    vlc http://[2001:888:aaa::1]:4444/


  7. Now, on another machine with IPv6 and VLC, you can watch your webcam stream with the same command above, so 

    vlc http://[2001:888:aaa::1]:4444/

    If you're more a GUI person, you can open VLC, and put the URL in Media -> Open Network Stream -> Network.
  8. That's it.

Tuesday, February 1, 2011

Enabling IPv6 Privacy Extensions on Ubuntu Linux

On plain Ubuntu (and probably other Linux variants), the right hand part of the IPv6 address is based on your MAC address. As your MAC address is fixed and worldwide unique, you can be traced around the (IPv6) world based on your IPv6 (containing your MAC address). And often this is not wanted.

There's a solution for this called "IPv6 Privacy Extensions". It will give you semi-random IPv6 address, that will be changed regularly. The result is less tracking and more privacy.

Here's how to enable IPv6 Privacy Extensions on Ubuntu and probably other Linux variants:

As root, edit the file /etc/sysctl.conf, for example:

gksudo gedit /etc/sysctl.conf

In that file, add these lines:

net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

Save the file and exit the editor. Then reload your network, or just reboot.
(BTW: the above lines are based on interface eth0 and wlan0)

After the reboot, ifconfig will now show a second public IPv6 address on interface(s) that used to have only one public IPv6 address. On http://www.appelboor.com/ipv6.html and http://test-ipv6.com/ you should your new, "private" public IPv6 address.

Monday, January 31, 2011

Android 2.2 does IPv6, and ... answers ping's

Interesting: A HTC Wildfire with Android 2.2:
  • does IPv6 when it's provided via RADVD on a Wireless LAN
  • ... answers ping6-messages
Here's a dump from the webserver's logfile, and then a ping6 to that IPv6 address of the Android:

2001:838:3ba:a:baab:bbbb:aaaa:b - - [31/Jan/2011:23:46:21 +0100] "GET / HTTP/1.1" 200 1173 "" "Mozilla/5.0 (Linux; U; Android 2.2.1; nl-nl; HTC_Wildfire_A3333 Build/FRG83D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

2001:838:3ba:a:baab:bbbb:aaaa:b - - [31/Jan/2011:23:46:22 +0100] "GET /favicon.ico HTTP/1.1" 200 5686 "http://www6.appelboor.com/" "Mozilla/5.0 (Linux; U; Android 2.2.1; nl-nl; HTC_Wildfire_A3333 Build/FRG83D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"



sander@vadmin648:~$ ping6 2001:838:3ba:a:baab:bbbb:aaaa:b
PING 2001:838:3ba:a:baab:bbbb:aaaa:b(2001:838:3ba:a:baab:bbbb:aaaa:b) 56 data bytes
64 bytes from 2001:838:3ba:a:baab:bbbb:aaaa:b: icmp_seq=1 ttl=52 time=1516 ms
64 bytes from 2001:838:3ba:a:baab:bbbb:aaaa:b: icmp_seq=2 ttl=52 time=516 ms
64 bytes from 2001:838:3ba:a:baab:bbbb:aaaa:b: icmp_seq=3 ttl=52 time=404 ms
64 bytes from 2001:838:3ba:a:baab:bbbb:aaaa:b: icmp_seq=4 ttl=52 time=296 ms
64 bytes from 2001:838:3ba:a:baab:bbbb:aaaa:b: icmp_seq=5 ttl=52 time=300 ms
^C
--- 2001:838:3ba:a:baab:bbbb:aaaa:b ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4012ms
rtt min/avg/max/mdev = 296.000/606.400/1516.000/461.895 ms, pipe 2
sander@vadmin648:~$ 


I think it would be better if the device would not ping back.

(FYI: the public IPv6 address has been changed for privacy reasons)