Wednesday, December 15, 2010

How to disable ipv6 in Debian

Here are simple steps to disable ipv6 in Debian:
  1. Comment out anything related to ipv6 in /etc/hosts
  2. SSH. Ensure AddressFamily inet is set in /etc/ssh/sshd_config. Restart ssh.
  3. BIND. Ensure listen-on-v6 { none; }; in /etc/bind/named.conf.options. Restart bind9.
  4. NTP. Ensure -4 option is set in /etc/default/ntp (e.g. NTPD_OPTS='-4 -g'). Restart ntp.
  5. APACHE2. Ensure Listen 0.0.0.0:80 in /etc/apache2/ports.conf file. Restart apache2.
  6. RPCBIND (rpc.statd, rpc.mountd). Comment out the appropriate entries in /etc/netconfig:
    udp        tpi_clts      v     inet     udp     - -
    tcp        tpi_cots_ord  v     inet     tcp     - -
    #udp6       tpi_clts      v     inet6    udp    - -
    #tcp6       tpi_cots_ord  v     inet6    tcp    - -
    rawip      tpi_raw       -     inet      -      - -
    local      tpi_cots_ord  -     loopback  -      - -
    unix       tpi_cots_ord  -     loopback  -      - -
    
  7. PostgreSQL 9. Ensure ipv4 in listen_addresses (file /etc/postgresql/9.1/main/postgresql.conf):
    # - Connection Settings
    listen_addresses = '0.0.0.0'
    
    Comment out lines related to ipv6 (file /etc/postgresql/9.1/main/pg_hba.conf):
    # IPv6 local connections:
    #host  all     all     ::1/128   md5
    
    Restart postgresql.
  8. Disable ipv6 in kernel:
    echo net.ipv6.conf.all.disable_ipv6=1 \
    > /etc/sysctl.d/disableipv6.conf
    
  9. Disable ipv6 in kernel modules (file /etc/modprobe.d/aliases.conf):
    # alias net-pf-10 ipv6
    alias net-pf-10 off
    alias ipv6 off
    
The next time the system boots it will have ipv6 disabled. Let verify it with:
netstat -tunlp
Here is a sample output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.10.2:53         0.0.0.0:*               LISTEN      895/named       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      895/named       
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      734/sshd        
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      895/named       
udp        0      0 192.168.10.2:53         0.0.0.0:*                           895/named       
udp        0      0 127.0.0.1:53            0.0.0.0:*                           895/named         
Read more about ipv6 here.

8 comments :

  1. Replies
    1. Practically, you don't need it... thus there is a way get rid of it.

      Delete
    2. Because my ISP does not support it and I hate error messages about it in logs.

      Delete
  2. Thank your for the post. It helps me solving NTP issue.

    ReplyDelete
  3. Very much appreciated. The most straight-forward and concise how-to ever!

    ReplyDelete
  4. Disabling Samba IPv6 listener in /etc/samba/smb.conf

    Set interfaces to your network interface device better than to the IP address:

    interfaces = eth0

    and bind it:

    bind interface only = yes

    ReplyDelete
  5. This is great... but I still have one kernel process listening on a tcpv6 port, and I'm not sure why. Any ideas?:

    # netstat -tunlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 889/exim4
    tcp 0 0 0.0.0.0:60075 0.0.0.0:* LISTEN -
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 445/rpcbind
    tcp 0 0 0.0.0.0:58320 0.0.0.0:* LISTEN 460/rpc.statd
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 567/sshd
    tcp6 0 0 :::40065 :::* LISTEN -
    udp 0 0 0.0.0.0:620 0.0.0.0:* 445/rpcbind
    udp 0 0 127.0.0.1:637 0.0.0.0:* 460/rpc.statd
    udp 0 0 0.0.0.0:39934 0.0.0.0:* 460/rpc.statd
    udp 0 0 0.0.0.0:111 0.0.0.0:* 445/rpcbind
    root@new [/var/log]
    # uname -a
    Linux new 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64 GNU/Linux
    root@new [/var/log]
    # cat /etc/issue
    Debian GNU/Linux 8 \n \l

    ReplyDelete
  6. Try find out which processes are listening on these ports:
    lsof -iTCP -sTCP:LISTEN

    Once you know process id you can find program that is running.

    ReplyDelete