How to disable IPv6


#1

How to disable IPv6

Context

Certain organizational security requirements may mandate a disabling of IPv6. Disabling this protocol is usually done to limit possible attacks or vulnerabiliies to services through IPV6 ports.

Aerospike will work with either ipv4 or ipv6 enabled but does not recommend disabling ipv6 with only sysctl as that can lead to a state where ipv6 is supported by the Kernel, while “half disabled” by sysctl.

To properly disable IPv6 on Linux, we suggest one of the following methods:

  1. Blacklist the ipv6 module at startup by modifying grub.conf

  2. Disable the ipv6 module.

Methods to disable IPv6

Blacklisting the IPv6 module

Blacklisting the IPv6 linux module can be done by adding ipv6.blacklist=yes to the kernel loading line and reboot the server.

Example:
sudo cat /etc/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/VolGroup-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.6.3.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-696.6.3.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us ipv6.blacklist=yes  rd_NO_DM rhgb quiet
	initrd /initramfs-2.6.32-696.6.3.el6.x86_64.img
title CentOS 6 (2.6.32-642.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us ipv6.blacklist=yes  rd_NO_DM rhgb quiet
	initrd /initramfs-2.6.32-642.el6.x86_64.img
 

Disabling the IPv6 module

The following steps can be done to disable the IPv6 module:

  1. Create a file under /etc/modprobe.d/ that contains the following line:
install ipv6 /bin/true
  1. Disable ip6tables:
chkconfig ip6tables off
  1. Reboot the server.
Example file:
$ cat /etc/modprobe.d/killipv6.conf 
install ipv6 /bin/true

Notes

There is usually no need to disable ipv6. This knowledge-base is provided as an informational guide.

Keywords

ipv6, kernel, disable, sysctl, ipv4

Timestamp

9/21/2017