IPv6#

Filtering#

GNU/Linux#

To filter all IPv6 packets except ICMPv6 messages, run these commands.

  1. filter all IPv6 packets

    ip6tables --policy INPUT DROP
    ip6tables --policy FORWARD DROP
    ip6tables --policy OUTPUT ACCEPT
    ip6tables --append INPUT --in-interface lo --jump ACCEPT
    ip6tables --append OUTPUT --out-interface lo --jump ACCEPT
    
  2. accept ICMPv6 messages

    ip6tables --append INPUT --protocol ipv6-icmp --jump ACCEPT
    
  3. save the rules

    dpkg-reconfigure iptables-persistent
    

Disabling#

See this youtube video

GNU/Linux#

See also

  • networking - How to disable IPv6 permanently? - Ask Ubuntu [1]

  • IPv6 - ArchWiki [2]

  1. append these lines to the Sysctl configuration file

    /etc/sysctl.conf#
    # Disable IPv6.
    net.ipv6.conf.lo.disable_ipv6 = 1
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    
  2. reload the configuration

    sysctl -p /etc/sysctl.conf
    
  3. comment IPv6 hosts in /etc/hosts

  4. reboot and check that everything still works

Warning

Disabling IPv6 on a server is not without dangers! See reference 2. Remember to disable IPv6 from server configurations such as OpenSSH and Unbound, for example.

/etc/ssh/sshd_config#
# [ ... ]
AddressFamily inet
ListenAddress 0.0.0.0
# [ ... ]

OpenWRT#

You may want to disable IPv6 on OpenWrt because of DNS issues with recent Android OSes. Android uses the IPv6 DNSes advertised by an OpenWRT router even if you set a static IPv4 DNS.

See also

  • Be aware of Android’s shady IPv6 DNS - General - Pi-hole Userspace [3]

  • [Solved] How can I completely disable ipv6 from LuCI? - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum [4]

  1. login the LuCI web UI

  2. append this content to System -> Startup -> Local Startup before the exit 0 command

    sysctl -w net.ipv6.conf.all.disable_ipv6=1
    sysctl -w net.ipv6.conf.default.disable_ipv6=1
    

    Note

    The net.ipv6.conf.lo.disable_ipv6=1 option does not seem to have any effect on the loopback interface.

  3. reboot

Footnotes