Service?
Usually we'd ask support to turn off the IPv6 and that would be that..
Maybe it was todays stress or what not, or maybe because I was asking for 10 nodes to be touched… but I get this answer:
Oh well for customer service.
__Greetings,
Thank you for taking the time to contact us. We've been disabling IPv6 on your Linodes in the past as a courtesy. However, we must ask that that you disable IPv6 on each Linode by killing off the routes and disabling autoconfiguration and accepting of router advertisements.
To accomplish this you would want to issue these commands:
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
You would then want to add these lines to the end of '/etc/sysctl.conf':
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
Finally you'll either want to reboot your Linode, or manually remove IPv6 from your networking:
ip -6 addr del
ip -6 route flush dev eth0
I hope this helps! If we can be of any further assistance don't hesitate to contact us.
Regards,
Tim__
21 Replies
- If your VPS is in the Freemont DC, it may or may not be available to fully enjoy that fast Linode experience.
> Oh well for customer service.
What ever. If they went in and touched your VPS to make configuration changes without additional compensation, they went way and above what they advertise for their service. Linode is un-managed. Your are your administrator. I wouldn't dare ask them to make any configuration changes to my servers. If I don't know how, I'll figure it out. They manage the network and the physical host, not your VPS.
The fact that they still provided detailed instructions on how to do it yourself is nice, because some unmanaged hosts would just refuse to do it and leave you to figure it out for yourself.
You can do it on the network config level, firewall level, application level… your choice.
For the OP, IPv6 autoconfiguration is based on router availability broadcasts, so it's not quite the same as a DHCP process, for example. A central router, or routers, broadcast availability, and then the individual clients hear that and automatically pick addresses. So there's no central knob to block/configure any individual client node, as it's all based around a common broadcast.
So while you may not have realized it, your request to Linode was essentially a request for guest-level changes. That's why many responses here are talking about the un-managed nature of a Linode. I suppose Linode could configure hosts to manually filter IPv6 traffic on behalf of a guest, but as with IPv4 filtering, that's not something the hosts currently get involved with.
At this point (at least at the IPv6 enabled data centers), spinning up a Linode is the same as using pretty much any PC with a current OS on an IPv6 enabled network, where the client is going to see IPv6 availability, and its up to the client configuration how it uses that. In most cases that will mean obtaining an auto-configured address.
As Azathoth noted, this process can be blocked on your Linode at multiple levels, one of which Linode supplied details on (stopping the auto-configuration process). For myself, on nodes I don't want to worry about IPv6 on, I tend to just block it at the firewall level, but that's just personal preference.
– David
@db3l:
-snip - For myself, on nodes I don't want to worry about IPv6 on, I tend to just block it at the firewall level -snip-
– David
iptablesv4 is a struggle for me - is there a simple ipv6 line that blocks ipv6 at the firewall level.
Hope this is ok to ask here as it is somewhat different from OP.
@bozo:
iptablesv4 is a struggle for me - is there a simple ipv6 line that blocks ipv6 at the firewall level.
The approach of the original post would be my first recommendation, from a practical standpoint. However, this will drop all IPv6 traffic as well:
ip6tables -F
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
Basically, same as you'd do for IPv4, but with "ip6tables" instead of "iptables".
@hoopycat:
Basically, same as you'd do for IPv4, but with "ip6tables" instead of "iptables".
For myself, I think just the DROP policy rules are sufficient (and really, the INPUT table is the only critical one). If you're trying to ignore IPv6, it doesn't really matter if loopback works.
Blocking input packets will also block the routing announcements and most likely prevent an autoconfiguration address from being selected (though there may be a race condition at startup depending on when the tables are loaded).
– David
@bozo:
Thks Hoopy and db31 - I have gone with the OP solution, did a reboot and the server comes back up ok. I still have the public IPv6 in my dashboard but trust it is disconnected.
Don't trust – check. Run "ip -6 addr" and see if there are any public IPv6 addresses.
@mnordhoff:
Don't trust – check. Run "ip -6 addr" and see if there are any public IPv6 addresses.
I was thinking about checking a little later, but thanks - this is what I found:
:~$ ip -6 addr
1: lo: <loopback,up,lower_up>mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <broadcast,multicast,up,lower_up>mtu 1500 qlen 1000
inet6 2600:3c03::f03c:ZZZZ:YYY:XXXX/64 scope global dynamic
valid_lft 43122sec preferred_lft 43122sec
inet6 fe80::f03c:ZZZZ:YYY:XXXX/64 scope link
valid_lft forever preferred_lft forever</broadcast,multicast,up,lower_up></loopback,up,lower_up>
(X,Y,Z redacted)
So … I am out of my depth here but it looks like it is still up?
@bozo:
So … I am out of my depth here but it looks like it is still up?
Yes, it does. Did you edit /etc/sysctl.conf? If you just ran the 'echo' or 'ip' commands, they'll be forgotten on reboot and it'll get reenabled.
@db3l:
For myself, I think just the DROP policy rules are sufficient (and really, the INPUT table is the only critical one). If you're trying to ignore IPv6, it doesn't really matter if loopback works.
It is becoming common to treat IPv4 as a subset of IPv6 within applications. For example, your web server likely binds itself to TCP6 socket [::]:80 instead of to TCP 0.0.0.0:80, which will handle the IPv4-only, dual-stack, and IPv6-only cases with one socket. Likewise, even if you disable external IPv6 connectivity, there could still be IPv6 going across the loopback if two IPv6-aware applications want to talk to each other.
I don't know if this actually happens in practice; logging might be a good idea. I personally err to the side of not breaking localhost, since I've done it before and things get very bizarre. But I also treat IPv4 and IPv6 as equivalent security surfaces, so I haven't tried totally blocking IPv6 yet either.
@hoopycat:
It is becoming common to treat IPv4 as a subset of IPv6 within applications. For example, your web server likely binds itself to TCP6 socket [::]:80 instead of to TCP 0.0.0.0:80, which will handle the IPv4-only, dual-stack, and IPv6-only cases with one socket.
I agree that behavior can occur, but am not sure how prevalent it is as a default yet, though I have to admit to not knowing what current distribution releases have as default config files, as most of my current configuration files began life quite a bit in the past.
I know my web server (nginx) only includes IPv6 if explicitly asked to (with "[::]"), and even recent versions - 1.0.3 is the last source tree I have handy - have sample configs that only use IPv4 by default. Of course, yes, if enabled, IPv4 and IPv6 can share a socket.
For daemons that might include IPv6 by default, I'm pretty sure they could bind the socket regardless of the state of the filter table, and I'm not sure I'd care if it were on a node I was blocking IPv6 on, since I'm not likely to try to do something there that needs IPv6.
I do certainly agree that leaving loopback open is unlikely to cause a problem either. It just didn't seem particularly necessary if the goal was to disable IPv6 on a node.
– David
(Edit)
PS: Of course, in thinking about it (and perhaps relevant in the context of this thread), I suppose it's precisely because I don't want to accidentally miss some daemon choosing to include IPv6 without my realizing it (and bypassing my IPv4 filters) that makes me set all the ip6table chain policies to DROP :-)
@mnordhoff:
@bozo:So … I am out of my depth here but it looks like it is still up?
Yes, it does. Did you edit /etc/sysctl.conf? If you just ran the 'echo' or 'ip' commands, they'll be forgotten on reboot and it'll get reenabled.
Yes I did. Actually I have just repeated the whole process just in case and it is still there.
@db3l:
I do certainly agree that leaving loopback open is unlikely to cause a problem either. It just didn't seem particularly necessary if the goal was to disable IPv6 on a node.
Is the goal to disable it on an entire system, or just on the externally-facing network interfaces? The former probably involves recompiling the kernel.
(Note: there's also net.ipv6.conf.*.disable_ipv6, which seems like it might do something. I ain't touchin' it.)
@bozo:
Yes I did. Actually I have just repeated the whole process just in case and it is still there.
What is the output of:
$ sysctl -A | grep ^net.ipv6.conf
? This will list what the kernel thinks it should be doing.
@hoopycat:
@bozo:Yes I did. Actually I have just repeated the whole process just in case and it is still there.
What is the output of:
$ sysctl -A | grep ^net.ipv6.conf? This will list what the kernel thinks it should be doing.
Here it is (apologies it's long):
# sysctl -A | grep ^net.ipv6.conf
error: "Invalid argument" reading key "fs.binfmt_misc.register"
error: permission denied on key 'net.ipv4.route.flush'
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.router_solicitations = 3
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.regen_max_retry = 5
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.accept_dad = 1
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.default.mtu = 1280
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_redirects = 1
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 1
net.ipv6.conf.default.router_solicitations = 3
net.ipv6.conf.default.router_solicitation_interval = 4
net.ipv6.conf.default.router_solicitation_delay = 1
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.default.regen_max_retry = 5
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.default.max_addresses = 16
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.default.accept_dad = 1
net.ipv6.conf.default.force_tllao = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.lo.mtu = 16436
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_redirects = 1
net.ipv6.conf.lo.autoconf = 1
net.ipv6.conf.lo.dad_transmits = 1
net.ipv6.conf.lo.router_solicitations = 3
net.ipv6.conf.lo.router_solicitation_interval = 4
net.ipv6.conf.lo.router_solicitation_delay = 1
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.lo.temp_valid_lft = 604800
net.ipv6.conf.lo.temp_prefered_lft = 86400
net.ipv6.conf.lo.regen_max_retry = 5
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv6.conf.lo.max_addresses = 16
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.proxy_ndp = 0
net.ipv6.conf.lo.accept_source_route = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.lo.accept_dad = -1
net.ipv6.conf.lo.force_tllao = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.eth0.mtu = 1500
net.ipv6.conf.eth0.accept_ra = 1
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth0.autoconf = 1
net.ipv6.conf.eth0.dad_transmits = 1
net.ipv6.conf.eth0.router_solicitations = 3
net.ipv6.conf.eth0.router_solicitation_interval = 4
net.ipv6.conf.eth0.router_solicitation_delay = 1
net.ipv6.conf.eth0.force_mld_version = 0
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.eth0.regen_max_retry = 5
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.eth0.max_addresses = 16
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.proxy_ndp = 0
net.ipv6.conf.eth0.accept_source_route = 0
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth0.accept_dad = 1
net.ipv6.conf.eth0.force_tllao = 0
net.ipv6.conf.dummy0.forwarding = 0
net.ipv6.conf.dummy0.hop_limit = 64
net.ipv6.conf.dummy0.mtu = 1500
net.ipv6.conf.dummy0.accept_ra = 1
net.ipv6.conf.dummy0.accept_redirects = 1
net.ipv6.conf.dummy0.autoconf = 1
net.ipv6.conf.dummy0.dad_transmits = 1
net.ipv6.conf.dummy0.router_solicitations = 3
net.ipv6.conf.dummy0.router_solicitation_interval = 4
net.ipv6.conf.dummy0.router_solicitation_delay = 1
net.ipv6.conf.dummy0.force_mld_version = 0
net.ipv6.conf.dummy0.use_tempaddr = 0
net.ipv6.conf.dummy0.temp_valid_lft = 604800
net.ipv6.conf.dummy0.temp_prefered_lft = 86400
net.ipv6.conf.dummy0.regen_max_retry = 5
net.ipv6.conf.dummy0.max_desync_factor = 600
net.ipv6.conf.dummy0.max_addresses = 16
net.ipv6.conf.dummy0.accept_ra_defrtr = 1
net.ipv6.conf.dummy0.accept_ra_pinfo = 1
net.ipv6.conf.dummy0.proxy_ndp = 0
net.ipv6.conf.dummy0.accept_source_route = 0
net.ipv6.conf.dummy0.disable_ipv6 = 0
net.ipv6.conf.dummy0.accept_dad = -1
net.ipv6.conf.dummy0.force_tllao = 0
net.ipv6.conf.teql0.forwarding = 0
net.ipv6.conf.teql0.hop_limit = 64
net.ipv6.conf.teql0.mtu = 1500
net.ipv6.conf.teql0.accept_ra = 1
net.ipv6.conf.teql0.accept_redirects = 1
net.ipv6.conf.teql0.autoconf = 1
net.ipv6.conf.teql0.dad_transmits = 1
net.ipv6.conf.teql0.router_solicitations = 3
net.ipv6.conf.teql0.router_solicitation_interval = 4
net.ipv6.conf.teql0.router_solicitation_delay = 1
net.ipv6.conf.teql0.force_mld_version = 0
net.ipv6.conf.teql0.use_tempaddr = 0
net.ipv6.conf.teql0.temp_valid_lft = 604800
net.ipv6.conf.teql0.temp_prefered_lft = 86400
net.ipv6.conf.teql0.regen_max_retry = 5
net.ipv6.conf.teql0.max_desync_factor = 600
net.ipv6.conf.teql0.max_addresses = 16
net.ipv6.conf.teql0.accept_ra_defrtr = 1
net.ipv6.conf.teql0.accept_ra_pinfo = 1
net.ipv6.conf.teql0.proxy_ndp = 0
net.ipv6.conf.teql0.accept_source_route = 0
net.ipv6.conf.teql0.disable_ipv6 = 0
net.ipv6.conf.teql0.accept_dad = -1
net.ipv6.conf.teql0.force_tllao = 0
net.ipv6.conf.tunl0.forwarding = 0
net.ipv6.conf.tunl0.hop_limit = 64
net.ipv6.conf.tunl0.mtu = 1480
net.ipv6.conf.tunl0.accept_ra = 1
net.ipv6.conf.tunl0.accept_redirects = 1
net.ipv6.conf.tunl0.autoconf = 1
net.ipv6.conf.tunl0.dad_transmits = 1
net.ipv6.conf.tunl0.router_solicitations = 3
error: permission denied on key 'net.ipv6.route.flush'
net.ipv6.conf.tunl0.router_solicitation_interval = 4
net.ipv6.conf.tunl0.router_solicitation_delay = 1
net.ipv6.conf.tunl0.force_mld_version = 0
net.ipv6.conf.tunl0.use_tempaddr = -1
net.ipv6.conf.tunl0.temp_valid_lft = 604800
net.ipv6.conf.tunl0.temp_prefered_lft = 86400
net.ipv6.conf.tunl0.regen_max_retry = 5
net.ipv6.conf.tunl0.max_desync_factor = 600
net.ipv6.conf.tunl0.max_addresses = 16
net.ipv6.conf.tunl0.accept_ra_defrtr = 1
net.ipv6.conf.tunl0.accept_ra_pinfo = 1
net.ipv6.conf.tunl0.proxy_ndp = 0
net.ipv6.conf.tunl0.accept_source_route = 0
net.ipv6.conf.tunl0.disable_ipv6 = 0
net.ipv6.conf.tunl0.accept_dad = -1
net.ipv6.conf.tunl0.force_tllao = 0
net.ipv6.conf.gre0.forwarding = 0
net.ipv6.conf.gre0.hop_limit = 64
net.ipv6.conf.gre0.mtu = 1476
net.ipv6.conf.gre0.accept_ra = 1
net.ipv6.conf.gre0.accept_redirects = 1
net.ipv6.conf.gre0.autoconf = 1
net.ipv6.conf.gre0.dad_transmits = 1
net.ipv6.conf.gre0.router_solicitations = 3
net.ipv6.conf.gre0.router_solicitation_interval = 4
net.ipv6.conf.gre0.router_solicitation_delay = 1
net.ipv6.conf.gre0.force_mld_version = 0
net.ipv6.conf.gre0.use_tempaddr = 0
net.ipv6.conf.gre0.temp_valid_lft = 604800
net.ipv6.conf.gre0.temp_prefered_lft = 86400
net.ipv6.conf.gre0.regen_max_retry = 5
net.ipv6.conf.gre0.max_desync_factor = 600
net.ipv6.conf.gre0.max_addresses = 16
net.ipv6.conf.gre0.accept_ra_defrtr = 1
net.ipv6.conf.gre0.accept_ra_pinfo = 1
net.ipv6.conf.gre0.proxy_ndp = 0
net.ipv6.conf.gre0.accept_source_route = 0
net.ipv6.conf.gre0.disable_ipv6 = 0
net.ipv6.conf.gre0.accept_dad = -1
net.ipv6.conf.gre0.force_tllao = 0
net.ipv6.conf.sit0.forwarding = 0
net.ipv6.conf.sit0.hop_limit = 64
net.ipv6.conf.sit0.mtu = 1480
net.ipv6.conf.sit0.accept_ra = 1
net.ipv6.conf.sit0.accept_redirects = 1
net.ipv6.conf.sit0.autoconf = 1
net.ipv6.conf.sit0.dad_transmits = 1
net.ipv6.conf.sit0.router_solicitations = 3
net.ipv6.conf.sit0.router_solicitation_interval = 4
net.ipv6.conf.sit0.router_solicitation_delay = 1
net.ipv6.conf.sit0.force_mld_version = 0
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.sit0.temp_valid_lft = 604800
net.ipv6.conf.sit0.temp_prefered_lft = 86400
net.ipv6.conf.sit0.regen_max_retry = 5
net.ipv6.conf.sit0.max_desync_factor = 600
net.ipv6.conf.sit0.max_addresses = 16
net.ipv6.conf.sit0.accept_ra_defrtr = 1
net.ipv6.conf.sit0.accept_ra_pinfo = 1
net.ipv6.conf.sit0.proxy_ndp = 0
net.ipv6.conf.sit0.accept_source_route = 0
net.ipv6.conf.sit0.disable_ipv6 = 0
net.ipv6.conf.sit0.accept_dad = -1
net.ipv6.conf.sit0.force_tllao = 0
net.ipv6.conf.ip6tnl0.forwarding = 0
net.ipv6.conf.ip6tnl0.hop_limit = 64
net.ipv6.conf.ip6tnl0.mtu = 1452
net.ipv6.conf.ip6tnl0.accept_ra = 1
net.ipv6.conf.ip6tnl0.accept_redirects = 1
net.ipv6.conf.ip6tnl0.autoconf = 1
net.ipv6.conf.ip6tnl0.dad_transmits = 1
net.ipv6.conf.ip6tnl0.router_solicitations = 3
net.ipv6.conf.ip6tnl0.router_solicitation_interval = 4
net.ipv6.conf.ip6tnl0.router_solicitation_delay = 1
net.ipv6.conf.ip6tnl0.force_mld_version = 0
net.ipv6.conf.ip6tnl0.use_tempaddr = -1
net.ipv6.conf.ip6tnl0.temp_valid_lft = 604800
net.ipv6.conf.ip6tnl0.temp_prefered_lft = 86400
net.ipv6.conf.ip6tnl0.regen_max_retry = 5
net.ipv6.conf.ip6tnl0.max_desync_factor = 600
net.ipv6.conf.ip6tnl0.max_addresses = 16
net.ipv6.conf.ip6tnl0.accept_ra_defrtr = 1
net.ipv6.conf.ip6tnl0.accept_ra_pinfo = 1
net.ipv6.conf.ip6tnl0.proxy_ndp = 0
net.ipv6.conf.ip6tnl0.accept_source_route = 0
net.ipv6.conf.ip6tnl0.disable_ipv6 = 0
net.ipv6.conf.ip6tnl0.accept_dad = -1
net.ipv6.conf.ip6tnl0.force_tllao = 0
@bozo:
Here it is (apologies it's long):
Huh.
Try adding, to your sysctl.conf, net.ipv6.conf.eth0.accept_ra = 0 and net.ipv6.conf.eth0.autoconf = 0… same as the others, just with eth0 in place of default/all. I never did trust Linux's idea of "all"