Alright - absolutely NOT a network expert and I don't care if you agree, or even know, the reason for my total, complete and absolute dislike of the ipv6. Trust that my feelings on the matter will not change.
Here is how I have beaten down the ipv6 proliferation on my network systems running ubuntu 16.04:
I'm not going to describe my initial attempts - such as ignoring it on my network interfaces, feeble attempts to not accept or forward it with iptables (tho I did learn a VERY nice tip regarding ipv6 and iptables). If you haven't already done those things then you shouldn't do any of my suggestions here IMSHO.
URLs I found useful (there are others, these have worked for me):
Initial Pass: Disable it using sysctl directives
as user root create/edit (replace / with 'or') /etc/sysctl.d/99-idontlikeipv6.conf adding the following lines:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Save the file then restart procps:
sudo service procps reload
Further down the spiral... (and why iptables just ain't enuf)
IPv6 and Linux Socket Listening (or how to tell if you have a problem)
most people concerned about security will, at a minimum, run a firewall of some sort. I did, and thought that iptables was the best thing ever for process protection without lots of overhead.
Then I learned local processes, which bind to IPv4 and IPv6, are not 'protected', or prevented from receiving, IPv6 traffic by ANY iptable directives, as iptables only affects/blocks IPv4 traffic. To firewall IPv6 traffic you need to setup another rules file and load it via ip6tables. This is the file and load commands I used:
(as root) create/edit /etc/ip6tables.up.rules and add the following:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
load it up
sudo ip6tables-restore < /etc/ip6tables.up.rules
check how it's looking:
netstat -atunp
This will show you any processes listening on your local machine - you want to look for the tcp6 and udp6 lines. you can filter the netstat output to those lines with:
netstat -atunp | egrep "tcp6|udp6"
When I did this I saw things such as:
tcp6 0 0 :::10000 :::* LISTEN 2353/perl
tcp6 0 0 :::113 :::* LISTEN 1399/oidentd
tcp6 0 0 :::631 :::* LISTEN 6620/cupsd
tcp6 0 0 :::17500 :::* LISTEN 6834/dropbox
udp6 0 0 :::5353 :::* 7160/chrome
udp6 0 0 :::5353 :::* 1120/avahi-daemon:
udp6 0 0 :::57956 :::* 1120/avahi-daemon:
along with still others. The rest of this is how I got rid of (some) them:
Look at netstat to see how you are doing. I still had a lot of things listening for IPv6 traffic. Processes like tomcat, apache2, rpcbind, cupsd, chrome...the list went on for a while. Disabling these each took a bit of investigation and work. I'll try to be brief.
- apache2: modify apache file ports.conf (mine was in /etc/apache2) adding an ip address after each Listen directive, before each port, ':' delimiter. For example:
Listen 127.0.0.1:80
Listen 127.0.0.1 443
- tomcat/catalina: Modify the server.xml file under /conf adding an address directive into each connector clause, like:
< Connector
port="6969"
address="8.8.8.8"
redirectPort="8443"
- postfix: modify the /etc/postfix/main.cf file line for net_protocols to read:
net_protocols = ipv4
- bind9/named: locate your dns config file (might be several, you are on your own here) and add listen-on-v6 { none; }; close to/before/after a 'listen-on' directive. Mine was in /etc/bind/named.conf, some pages said to look/add it to a file called named.conf.options
- cups (cupsd, cups-browserd): edit /etc/cups/cupsd.conf and change the port directive as follows (NOTE: buyer beware, you might enjoy what cups gets you, if so you won't want to fuk it up):
Port 127.0.0.1:631
- sshd: depends on ssh server installed. I ran across two different ways to set this to only listed on ipv4 addresses.
- edit /etc/ssh/sshd_config and have only 1 ListenAddress directive and give it a specific IPv4 address the 'any port' 0.0.0.0 value, like:
# ListenAddress ::
ListenAddress 4.4.4.4
- Set the AddressFamily directive to inet (make sure only one AddressFamily directive is enabled)
# AddressFamily any
AddressFamily inet
- ntp: edit /etc/default/ntp to have NTPD_OPTS start with -4, similar to:
NTPD_OPTS='-4 -g'
- rpcbind (rpc.statd, rpc.mountd): comment out lines that start with tcp6 or udp6
- avahi-daemon: I couldn't find any reason to allow it and it purged very easily... apt-get purge avahi-daemon
- chrome - this one was controlled through the UI - the following URL was key to nerfing it's IPv6 trafficking: https://unix.stackexchange.com/questions/187294/chromium-browser-pepperflashplugin-opening-listening-ports-on-0-0-0-05353
use chrome to navigate to URL chrome://flags/#device-discovery-notifications and use the select list to choose 'disable' (or disabled, can't remember). Disabling this so-called "device discovery" feature turns off listening of mDNS port 5353/tcp. You need to relaunch Chromium / Google Chrome to make this take effect.
To have these changes take affect reboot your machine. There's other ways, but I'm too damn tired to go into the details and rebooting will either give you a machine with IPv6 suckers and putters - OR it'll give you a whole new set of problems to worry about.
NOTE: Knowledge is power, with hands it can be a powerful weapon. You assume all responsibility for fking your systems up by following any of the things in my post. njoy
-wc
ip6tablesrules wouldn't be a better and simpler solution. – Sander Steffann Sep 04 '16 at 21:51