How to disable IPv6


#1

How to disable IPv6

Context

Certain organizational security requirements may mandate a disabling of IPv6. Disabling this protocol is usually done to limit possible attacks or vulnerabiliies to services through IPV6 ports.

Aerospike will work with either ipv4 or ipv6 enabled but does not recommend disabling ipv6 with only sysctl as that can lead to a state where ipv6 is supported by the Kernel, while “half disabled” by sysctl.

To properly disable IPv6 on Linux, we suggest one of the following methods:

  1. Blacklist the ipv6 module at startup by modifying grub.conf

  2. Disable the ipv6 module.

Methods to disable IPv6

Blacklisting the IPv6 module

Blacklisting the IPv6 linux module can be done by adding one of the following to the kernel loading line and rebooting the server:

ipv6.blacklist=yes if the module is added dynamically

ipv6.disable=1 if the module is compiled into the kernel

Typically on Centos7 the module is usually compiled in. You can add both do the kernel cmdline if you are unsure.

To check whether the module is disabled, run lsmod |grep ipv6, or modinfo ipv6. If the lsmod does not show an ipv6 module, it is compiled in.

Example:
sudo cat /etc/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/VolGroup-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.6.3.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-696.6.3.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us ipv6.blacklist=yes ipv6.disable=1 rd_NO_DM rhgb quiet
	initrd /initramfs-2.6.32-696.6.3.el6.x86_64.img
title CentOS 6 (2.6.32-642.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us ipv6.blacklist=yes ipv6.disable=1 rd_NO_DM rhgb quiet
	initrd /initramfs-2.6.32-642.el6.x86_64.img
 

Disabling the IPv6 module

The following steps can be done to disable the IPv6 module at runtime after boot:

  1. Create a file under /etc/modprobe.d/ that contains the following line:
install ipv6 /bin/true
  1. Disable ip6tables:
chkconfig ip6tables off
  1. Reboot the server.
Example file:
$ cat /etc/modprobe.d/killipv6.conf 
install ipv6 /bin/true

Notes

There is usually no need to disable ipv6. This knowledge-base is provided as an informational guide.

Keywords

ipv6, kernel, disable, sysctl, ipv4

Timestamp

9/21/2017