The Random Adventure That Is Life (RATIL)

Making My Server IPv6 Compatible

Trevor Steen -

I got a Reddit message from a user who is running a single stack IPv6 setup and was unable to access my website. I thought I had everything in order to make this work but apparently not. Thanks to this user for reaching out so I could fix the problem.

DNS AAAA Record

The first step is to ensure that you have a AAAA published for your public IPv6 address. This is fairly simple. Grab your IPv6 address from your server (ifconfig, ip a, or ipconfig) and create a record through your domain provider.

NOTE: Be sure to grab the scope global address and NOT the scope link.

Firewall Configuration

In my case, I am using iptables to manage my firewall configuration. The first thing to note is that you must use two different utilities to manage IPv4 vs. IPv6 rules: iptables and ip6tables. What is nice is that both utilities provide the -4 and -6 flags to cause the opposite tool to ignore those specific rules. From the man page.

       -4, --ipv4
              This option has no effect in iptables and iptables-restore.  If a rule using the -4 option is inserted  with  (and  only  with)  ip6tables-restore,  it  will  be silently  ignored.  Any  other uses will throw an error. This option allows IPv4 and IPv6 rules in a single rule file for  use  with  both  iptables-restore  and ip6tables-restore.

       -6, --ipv6
              If a rule using the -6 option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw  an  error.  This  option allows  IPv4  and  IPv6  rules in a single rule file for use with both iptables-restore and ip6tables-restore.  This option  has  no  effect  in  ip6tables  and ip6tables-restore.

So with that in mind, you can make one file to hold all your rules and then load it into both utilities. The place where the specific rules come into play is when dealing with specific IPs or with localhost communications. iptables is smart enough to work on port based rules across the protocols.

I ended up using a set of rules from Jakub Jirutka here. I basically just updated line 111, un commented, saved to /etc/iptables.rules and loaded it up. To ensure these rules get loaded at boot I added these lines to /etc/rc.local:

#Restore IP tables
iptables-restore < /etc/iptables.rules
ip6tables-restore < /etc/iptables.rules

NGINX Config

NGINX seems to have the IPv6 configuration already built into their default server config file. If you some reason you do not have this, IPv6 is configured in the listen directive of the server block in your NGINX config file. You are looking for this listen [::]:80;. Likewise, if you are serving on HTTPS (or redirecting) then you will need a similar line for port 443.