Deactivation of IPv6

This article describes how to deactivate or switch off the IPv6 support under Linux and Windows. This can be helpful as long as IPv6 has not been used productively for safety reasons. This prevents you from obtaining an IPv6 address as soon as an IPv6 router advertisement daemon becomes available on a network. Furthermore, existing firewall rules are often not valid for IPv6. In this case, services that were actually blocked by an IPv4 rule might then be accessible via IPv6. Linux has its own command, "ip6tables", for managing IPv6 firewall rules.

Ubuntu

In Ubuntu 10.04, 12.04, 14.04 and 16.04, IPv6 is compiled directly into the kernel and is not loaded as module. The simplest method to deactivate IPv6 is to set the suitable sysctl parameter. This can be made temporarily with the following command:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

To make this setting permanent, it is advisable to use the sysctl functions. For this, create a file named /etc/sysctl.d/01-disable-ipv6.conf with the following content:

net.ipv6.conf.all.disable_ipv6 = 1

IPv6 is then deactivated after the next reboot.

This can be verified with the "ip addr show" command. There must then be no entries with the text "inet6" anymore.

ip addr show | grep inet6

RHEL / CentOS

Under RHEL 6/ CentOS, the deactivation of IPv6 can be made identically like under Ubuntu via sysctl (see above).

In RHEL 4 / CentOS, IPv6 is integrated as module. Add the following line to the /etc/modprobe.conf file:

install ipv6 /bin/true

The verification, whether it worked, can be made with the "ip addr show | grep inet6" command or alternatively with the

lsmod | grep -i ipv6 command

Windows

Information on the deactivation of IPv6 can be found for the respective Windows version on the following pages:

• Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012:

  Guide to configuring IPv6 in Windows for advanced users (support.microsoft.com, KB 929852)

• Windows XP:

  Microsoft Windows XP - Remove IPv6 (www.microsoft.com)

Applications that require IPv6 support

OpenVZ

The following problem occurs with OpenVZ with the kernel "2.6.18-164.15.1.el5.028stab068.9", when IPv6 is deactivated via module-blacklisting (see "RHEL 4 / CentOS 4"). OpenVZ does not function, as the vzmon module can not be loaded.

Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol ve_snmp_proc_init
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol addrconf_sysctl_free
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol ve_ndisc_init
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol addrconf_ifdown
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol ip6_frag_cleanup
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol fini_ve_route6
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol addrconf_sysctl_init
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol ve_snmp_proc_fini
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol ve_ndisc_fini
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol init_ve_route6
Jul  8 21:21:08 ovz2 kernel: vzmon: Unknown symbol addrconf_sysctl_fini
Jul  8 21:21:08 ovz2 vz: failed to load module vzmon failed

The same should be valid for Virtuozzo: http://kb.parallels.com/en/3583

Unbound DNS Server

In the default configuration, the Unbound DNS server listens on 127.0.0.1 (IPv4) and::1 (IPv6). If IPv6 is disabled as described above, the following error occurs when starting with the Unbound default configuration:

user@ubuntu-10.04:~$ sudo /etc/init.d/unbound start
 * Starting recursive DNS server unbound
[1278656703] unbound[1924:0] error: can't bind socket: Cannot assign requested address
[1278656703] unbound[1924:0] fatal error: could not open ports                                   [fail]
user@ubuntu-10.04:~$

You can easily circumvent the problem by explicitly specifying only the address 127.0.0.1 in the configuration file /etc/unbound/unbound.conf:

        # specify the interfaces to answer queries from by ip-address.
        # The default is to listen to localhost (127.0.0.1 and ::1).
        # specify 0.0.0.0 and ::0 to bind to all available interfaces.
        # specify every interface[@port] on a new 'interface:' labelled line.
        # The listen interfaces are not changed on reload, only on restart.
        # interface: 192.0.2.153
        # interface: 192.0.2.154
        # interface: 192.0.2.154@5003
        # interface: 2001:DB8::5
        interface: 127.0.0.1

Author: Christoph Mitasch Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.