IPv6#

Filtering#

GNU/Linux#

To filter all IPv6 packets except ICMPv6 messages, run these commands.

  1. filter all IPv6 packets

    ip6tables --policy INPUT DROP
ip6tables --policy FORWARD DROP
ip6tables --policy OUTPUT ACCEPT
ip6tables --append INPUT --in-interface lo --jump ACCEPT
ip6tables --append OUTPUT --out-interface lo --jump ACCEPT

  2. accept ICMPv6 messages

    ip6tables --append INPUT --protocol ipv6-icmp --jump ACCEPT

  3. save the rules

    dpkg-reconfigure iptables-persistent

Disabling#

See this youtube video

GNU/Linux#

See also

  • networking - How to disable IPv6 permanently? - Ask Ubuntu 1

  • IPv6 - ArchWiki 2

  1. append these lines to the Sysctl configuration file

    /etc/sysctl.conf#
    # Disable IPv6.
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

  2. reload the configuration

    sysctl -p /etc/sysctl.conf

  3. comment IPv6 hosts in /etc/hosts

  4. reboot and check that everything still works

Warning

Disabling IPv6 on a server is not without dangers! See reference 2. Remember to disable IPv6 from server configurations such as OpenSSH and Unbound, for example.

/etc/ssh/sshd_config#
# [ ... ]
AddressFamily inet
ListenAddress 0.0.0.0
# [ ... ]

OpenWRT#

You may want to disable IPv6 on OpenWrt because of DNS issues with recent Android OSes. Android uses the IPv6 DNSes advertised by an OpenWRT router even if you set a static IPv4 DNS.

See also

  • Be aware of Android’s shady IPv6 DNS - General - Pi-hole Userspace 3

  • [Solved] How can I completely disable ipv6 from LuCI? - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum 4

  1. login the LuCI web UI

  2. append this content to System -> Startup -> Local Startup before the exit 0 command

    sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

    Note

    The net.ipv6.conf.lo.disable_ipv6=1 option does not seem to have any effect on the loopback interface.

  3. reboot

Footnotes

1

https://askubuntu.com/a/309463 CC BY-SA 4.0, Copyright (c) 2013, 2018 Eric Carvalho, abu_bua (at askubuntu.com)

2

https://wiki.archlinux.org/title/IPv6#Disable_IPv6 GNU Free Documentation License 1.3 or later, Copyright (c) ArchWiki contributors

3

https://discourse.pi-hole.net/t/be-aware-of-androids-shady-ipv6-dns/36636 unknown license

4

https://forum.openwrt.org/t/solved-how-can-i-completely-disable-ipv6-from-l unknown license