3 easy methods to disable ipv6 in Linux with best practices

In this tutorial I will share the steps required to disable IPv6 completely from your Linux server. There are couple of methods to achieve this requirement, I will share the ones which I am familiar with. Normally we disable IPv6 in the network but we somehow miss to update this on other dependent configuration files such as /etc/hosts, sshd_config file etc. So it is important that you update all the dependent configuration files to not use IPv6 any more.

You may also read my previous article to configure IPv6 address in Linux.

 

1. Disable IPv6 using grubby (Requires reboot)

In this example we will use grubby command to update the kernel boot entries and disable IPv6. grubby command is very user friendly and can be used for automation via scripts. We will use below command to update the kernel arguments of the DEFAULT kernel with ipv6.disable=1. This parameter will make sure that IPv6 is disabled on the next reboot.

# grubby --args ipv6.disable=1 --update-kernel DEFAULT

Verify the updated entries of kernel arguments on the default kernel

# grubby --info DEFAULT

Below is a snippet from my server terminal

Disable IPv6 using GRUBBY
Disable IPv6 using GRUBBY

Next reboot the server and post reboot check the output for below command

# sysctl -a | grep -i ipv6

You should get empty output which means that all the ipv6 modules are unloaded from the kernel

Next go to the last section of this tutorial to disable IPv6 across different configuration files

 

2. Disable IPv6 using GRUB2 configuration (Requires Reboot)

In this section we will use GRUB2 configuration to disable IPv6 completely. You need to append ipv6.disable=1 at the end of line with GRUB_CMDLINE_LINUX in /etc/default/grub file. You can use below sed for this purpose as I have used below or manually open the file using any editor and append:

# sed '/GRUB_CMDLINE_LINUX/ s/"$/ ipv6.disable=1"/' /etc/default/grub

Now verify if ipv6.disable=1 was properly added:

# grep ipv6 /etc/default/grub
GRUB_CMDLINE_LINUX="resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet biosdevname=0 net.ifnames=0 ipv6.disable=1"

Next rebuild your grub2 configuration file:

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Next reboot your server and check the output for below command

# sysctl -a | grep -i ipv6

You should get empty output which means that all the ipv6 modules are unloaded from the kernel

Next go to the last section of this tutorial to disable IPv6 across different configuration files

 

3. Disable IPv6 using sysctl (Without Reboot)

This is another method to disable IPv6 but in this case we don't unload the IPv6 modules as we did with above methods, instead we will just disable IPv6 so that it cannot be configured or used.

NOTE:

This method may break SSH Xforwarding unless sshd_config contains AddressFamily inet. So if you are planning to use this method and are also using XForwarding then it is strongly recommended to add "AddressFamily inet" in /etc/ssh/sshd_config and restart the sshd service

Before I start, you can check that currently an inet6 address is assigned to my eth0 interface

How to disable Ipv6 in Linux
Available inet6 address

To disable IPv6 runtime, append 1 to the below sysctl configuration files

# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Next you can verify, you will not see inet6 when you list the available interfaces and their IP addresses with ip a command

how to disable ipv6
ipv6 in disabled state with sysctl

As you see, there is no inet6 interface for eth0 anymore.

So IPv6 is disabled without any reboot. But these changes are not persistent across reboot so to make it permanent we need to add these to sysctl configuration file. Create a new config file inside /etc/sysctl.d/ and add below lines

# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Next execute sysctl -p to update the configuration (anyhow since we have manually added 1 to these entries earlier, you may skip this step)

# sysctl -p /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Create a backup of the initramfs:

# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).bak.$(date +%m-%d-%H%M%S).img

Then rebuild the Initial RAM Disk Image using, this command may give a long list of output on the screen:

# dracut -f -v

Verify the content of initramfs to make sure the newly added sysctl configuration file is part of the initramfs

# lsinitrd /boot/initramfs-$(uname -r).img  | grep 'etc/sysctl.d/98-disable_ipv6.conf'
-rw-r--r--   1 root     root           75 Sep  6  2019 etc/sysctl.d/98-disable_ipv6.conf

Now even if your server is rebooted, the IPv6 changes will be persistent across reboot.

Lastly go to the next section of this tutorial to disable IPv6 across different configuration files

 

4. Disable IPv6 across Linux configuration files

Now since you have disabled IPv6 in the network, you should also consider to disable the same across multiple Linux configuration files or you may get different errors reported on your Linux server.

4.1: In /etc/hosts

Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address

# cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts

 

4.2: In /etc/ssh/sshd_config

As informed earlier if problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:
Change the line

#AddressFamily any

to

AddressFamily inet

and restart sshd service

# systemctl restart sshd.service

 

4.3: In Postfix (/etc/postfix/main.cf)

If you are using postfix then you should also make these changes in the /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.

#inet_interfaces = localhost
inet_interfaces = 127.0.0.1

Restart postfix service

# systemctl restart postfix

 

4.4: In /etc/ntp.conf

If you are using legacy ntp.conf to sync your local time with NTP server then comment the line related to IPV6 in /etc/ntp.conf

# restrict ::1

Next restart ntpd service

# systemctl restart ntpd

 

4.5: In /etc/netconfig

To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:

udp        tpi_clts      v     inet     udp     -       -
tcp        tpi_cots_ord  v     inet     tcp     -       -
#udp6       tpi_clts      v     inet6    udp     -       -
#tcp6       tpi_cots_ord  v     inet6    tcp     -       -
rawip      tpi_raw       -     inet      -      -       -
local      tpi_cots_ord  -     loopback  -      -       -

You don't need to restart any service and the changes will take affect runtime.

 

4.6: In chrony

If you are using chrony instead of NTP to sync your local server with Network timezone, then to disable chronyd service on a upd6 socket create /etc/sysconfig/chronyd file using any text editor, with line below:

OPTIONS="-4"

Restart chronyd service

# systemctl restart chronyd

You can verify the same using netstat to lists chronyd process listening on udp6

# netstat -plan | egrep 'tcp6|udp6'

 

Conclusion

In this tutorial we learned about how we can disable IPv6 properly across all the relevant configuration files and network. You can achieve this with or without reboot. Although in most environment I have observed issues when I disabled IPv6 using sysctl as the the module is still loaded on the server so some application may fail to work or throw error so I prefer to completely unload the ipv6 module from the Linux server to avoid any conflicts.

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.