Home > Uncategorized > Completely disable IPv6 in CentOS6

Completely disable IPv6 in CentOS6

All of these are fun and good, but none really disables ipv6. You really are concerned with your NICs not being configured for IPv6, but if you really want to disable ipv6… well… disable ipv6:

In /etc/grub.conf edit the kernel lines to include:

ipv6.disable=1

The “trick” here, as described by TrevorH1 in #linux, is that programs can still load the module as they wish. You can check this by running lsmod or modprobe -l, you will still see the ipv6.ko kernel module. This allows user mode programs to access the kernel module in their code (so they don’t crash); but as far as the kernel is concerned ipv6.disable=1, so the kernel doesn’t really allow much to get through it.

And that’s it. IPv6 is disabled on your box… but if you want to disable a variety of fun things that you might find when seeking to disable IPv6…

In /etc/sysctl.conf change/create entries:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

In /etc/sysconfig/network change/create entries:

NETWORKING_IPV6=no
IPV6INIT=no

In /etc/modprobe.d/blacklist.conf change/create entries:

blacklist net-pf-10
blacklist ipv6

Disable iptables for IPv6:

service ip6tables stop
chkconfig ip6tables off

Disable ipv6 completely:

echo "install ipv6 /bin/true" > /etc/modprobe.d/ipv6_disabled.conf

With much reference:

Advertisements
  1. IgnitedMind
    April 7, 2013 at 10:15 am

    I have followed all the above step, sitill unable to disable IPV6 :(
    any one has any other sol, please

    • April 7, 2013 at 11:01 am

      IPv6 was disabled when I set ipv6.disable=1 in /etc/grub (and rebooted the system). listmod, et cetera, would still list the kernel module as loaded; but this is purposeful to allow other programs that call on this module to still access programmatic classes of the module without issue/instead of crashing.

      After setting that value, and rebooting your system, what do you see that indicates that the IPv6 stack is not disabled?

  2. Todd
    July 31, 2013 at 11:21 pm

    Good luck using mirrorlist.centos.org after implementing the full list form here… its only responding on the net to a ipv6 address!

    root@cm462 cloudera-manager-installer]# getent hosts mirrorlist.centos.org
    2a02:2498:1:3d:5054:ff:fed3:e91a mirrorlist.centos.org

    Looks like we’re screwed boys… Use IPv6 or die!

  3. November 15, 2013 at 8:56 am

    It is not “mirrorlist.centos.org”, it IS the DNS settings at centos.org. The AAAA and A records are in that order, but their options are not the default round-robin. That means that user-1 does a DNS lookup for X, followed by user-n doing the same. They all get the same answer – namely AAAA-record. IE: They IPv6 address.

    Congratulations to CentOS: They force you to use IPv6 whether you intended/wanted to or not. This is really hard luck for any user with an ISP that does not provide/allow IPv6 traffic. Do they do that for “security reasons”?

    • November 15, 2013 at 3:16 pm

      Hello Pim,

      I looked a bit deeper, and I have no problems:

      I can find the AAAA record:

      CMD C:\>dig mirrorlist.centos.org AAAA
      
      ; <<>> DiG 9.9.4-P1 <<>> mirrorlist.centos.org AAAA
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55689
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1280
      ;; QUESTION SECTION:
      ;mirrorlist.centos.org.         IN      AAAA
      
      ;; ANSWER SECTION:
      mirrorlist.centos.org.  12      IN      AAAA    2a02:2498:1:3d:5054:ff:fed3:e91a
      
      ;; Query time: 1 msec
      ;; SERVER: 192.168.17.111#53(192.168.17.111)
      ;; WHEN: Fri Nov 15 15:11:35 Eastern Standard Time 2013
      ;; MSG SIZE  rcvd: 78
      [./source]
      
      Or I can find the A record:
      [source language=bash]
      CMD C:\>dig mirrorlist.centos.org A
      
      ; <<>> DiG 9.9.4-P1 <<>> mirrorlist.centos.org A
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63255
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1280
      ;; QUESTION SECTION:
      ;mirrorlist.centos.org.         IN      A
      
      ;; ANSWER SECTION:
      mirrorlist.centos.org.  262     IN      A       72.232.223.58
      mirrorlist.centos.org.  262     IN      A       69.30.193.218
      mirrorlist.centos.org.  262     IN      A       204.15.73.243
      mirrorlist.centos.org.  262     IN      A       64.235.47.134
      
      ;; AUTHORITY SECTION:
      centos.org.             5821    IN      NS      ns3.centos.org.
      centos.org.             5821    IN      NS      ns1.centos.org.
      centos.org.             5821    IN      NS      ns4.centos.org.
      
      ;; ADDITIONAL SECTION:
      ns1.centos.org.         71      IN      A       72.232.223.58
      ns3.centos.org.         71      IN      A       88.208.217.170
      ns4.centos.org.         71      IN      A       62.141.54.220
      
      ;; Query time: 9 msec
      ;; SERVER: 192.168.17.111#53(192.168.17.111)
      ;; WHEN: Fri Nov 15 15:12:39 Eastern Standard Time 2013
      ;; MSG SIZE  rcvd: 216
      

      When pinging the IPv6 address, it is not routed, and is unreachable:

      CMD C:\>ping 2a02:2498:1:3d:5054:ff:fed3:e91a
      
      Pinging 2a02:2498:1:3d:5054:ff:fed3:e91a with 32 bytes of data:
      PING: transmit failed. General failure.
      PING: transmit failed. General failure.
      PING: transmit failed. General failure.
      
      Ping statistics for 2a02:2498:1:3d:5054:ff:fed3:e91a:
          Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
      

      However, the DNS client has no problems resolving mirrorlist.centos.org so that it is reachable by a client on my machine (Windows):

      CMD C:\>ipconfig /flushdns
      
      Windows IP Configuration
      
      Successfully flushed the DNS Resolver Cache.
      
      CMD C:\>ping mirrorlist.centos.org
      
      Pinging mirrorlist.centos.org [72.232.223.58] with 32 bytes of data:
      Reply from 72.232.223.58: bytes=32 time=46ms TTL=48
      Reply from 72.232.223.58: bytes=32 time=45ms TTL=48
      Reply from 72.232.223.58: bytes=32 time=45ms TTL=48
      Reply from 72.232.223.58: bytes=32 time=46ms TTL=48
      
      Ping statistics for 72.232.223.58:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 45ms, Maximum = 46ms, Average = 45ms
      

      Everything should be fine :)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: