First, why kill IPV6 in your home network? Isn’t it the way and the light and the future?
Note: NAT is Network Address Translation – the router hides your internal address and uses only its external address for communications, then when information returns, sends it to only the computer that originated that request. By default it prevents an external party pushing bits at your machine as there is no “reverse table” to say to whom those bits ought to be sent by the router. The router only makes a table entry for the specific target and port you first established as your destination.
Reason for disabling
Avoiding IPv6 leak when using IPv4-only VPN
In the presence of both IPv4 and IPv6, the priority is to use the IPv6 path first before falling back to IPv4. This can be a problem when used in conjunction with VPN where most VPN providers are still providing IPv4 service exclusively. An IPv6-enabled machine will bypass the VPN.
Need implicit firewall with NAT
IPv6 no longer use NAT; all devices are Internet routable. The implicit protection offered by NAT in IPv4 is now gone. This means the overall network security setup needs a rethink prior to introducing IPv6.
Disabling IPv6 at router is an easy way to turn this off for all devices but you may want to selectively enable on some.
I have had IPv6 disabled at my routers essentially “forever”. I run an IPv4 shop and have no need for an IPv6 address or routing. I don’t care about the IdIOT devices on the “internet of things”, and to the extent only running IPv4 thwarts them, all the better. I LIKE my NAT firewall and I do not want my machine address routing all over the world. Just the firewall address and / or proxy server. All attacks to be focused only on them.
So how to do it?
Supposedly it is very easy:
Firstly, check for presence of IPv6 using ifconfig. You should be seeing a few lines containing inet6 addr: ….
To disable, edit a file: sudo nano /etc/sysctl.conf
Add the following line:net.ipv6.conf.all.disable_ipv6 = 1
For the change to take effect without rebooting:sudo sysctl -p
Verify that IPv6 address does not show up in ifconfig.
Personally I just sudo bash and then do all the commands I want instead of a sudo in front of each one; and I find the nano editor a pain. Decades ago my fingers learned “vi” and they just do it… so I vi /etc/sysctl.conf and added that line. Then did the sysctl -p and it all worked fine.
Until I rebooted… and then it was all back again…
This site made a different claim:
As I’m on Devuan, I look for “How To” on older Debian releases before it got all SystemD junked up…
If you do sysctl -p, the reboot isn’t necessary. It worked for me, but I prefer to keep params in single file, so I put the line above in the sysctl.conf file.
Just to be sure, I put a line about every device, so my solution is adding the following lines to /etc/sysctl.conf:net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1 net.ipv6.conf.eth1.disable_ipv6 = 1 net.ipv6.conf.ppp0.disable_ipv6 = 1 net.ipv6.conf.tun0.disable_ipv6 = 1
Thanks for this! For some reason, on my Raspberry Pi just disabling via net.ipv6.conf.all.disable_ipv6 didn’t work; adding an explicit line for my adapter did the trick!
Tried that… it also did not survive the reboot. I took the expedient way out and just put sysctl -p into my rc.local file:
root@odroidxu4:/# cat /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. sysctl -p exit 0
After a reboot, no IPv6:
root@odroidxu4:/# ifconfig eth0 Link encap:Ethernet HWaddr 00:1e:06:31:aa:27 inet addr:10.66.6.66 Bcast:10.66.6.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49 errors:0 dropped:0 overruns:0 frame:0 TX packets:57 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5616 (5.4 KiB) TX bytes:5462 (5.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
But really… this just smells like Kludge to me. There’s gotta be a better way…
Why this came up now? Well, as part of that Pocket PiHole thing. As IT is going to be my personal firewall / gateway / router etc. etc. I wanted only IPV4 running on it, too. It simplifies the firewall design in some ways. Only one protocol. No NAT bypass. etc. etc…
So I got my Round Tuit for shutting off the various things chatting IPv6 into my local isolated network and having it all stopped at the NATing Router. They would “talk among themselves” I guess, but why waste those bits? So off I went to shut it off. It was not quite as easy as I’d hoped… or I’ve missed something.
Any better ideas or insights welcomed.