Disabling IPv6 and IPv6 and ip6tables

pstables creates Netfilter rules for IPv6 packets
which are not affected by ip tables rules!

Provided by the ip tables ipv6 package
Rules stored in etc sys config ip6tab 1es
Does not support nat table
System config securitylevel creates IPv4 and IPv6 rules.

Fiitering va Traffic

While support for IP version 6 (IPv6) comes standard with most modern operating systems, the majority of the world's networks still use the older IP version 4 (IPv4) protocol by default. However, if your system is accessible e by an IPv6 address it is important to remember that since IPv4 and IPv6 are very different

protocos, IPv4 based security mechanisms may need to be supplemented with IPv6 based solutions to keep your system safe.

One very important example of such a mechanism is ip tables, which specifically filters IPv4 traffic, not IPv6. Any ip tables rules that do not refer to specific interfaces or MAC addresses will effectively ignore va traffic, even with a chain policy of DROP. A second packet filtering system, called ip 6tables can be used to filter IPv6. To start using ip 6 tables, install the ip tables ipv6 package, build a ruleset as you would With ip tables and run service ip6 tables save. This will store your ip6 tables rules to etc sys config ip6 tables.

The syntax of ip6 tables is almost identical to that of ip tables with a few notable differences:

Disabling IPv6

Ail interiaces are assigned IPv6 address by default

If ipv6 is not being used, it may be best to disable it
though there are advantages over IPv4
More address space
Automatic assignment of lPs

To disable, add lines to etc modprobe confirm

IPv6 exists and is supported by default in Red Hat Enterprise Linux for a reason. For one thing, we will soon run out of IPv4 addresses. To illustrate, IPv4 supports 4 billion addresses and there are over 6 billion people in the world. In the industrialized world, individuals now need more than a single IP address. Our computers, cell phones, cable TV boxes, and more all need addresses. IPv6 supports over 340 trillion,

trillion, trillion addresses that's 340 followed by 36 more zeroes). Private IPv4 addresses and Network Address Translation (NAT) have simply delayed the inevitable.

As of today, many service providers are beginning to deploy IPv6 like your Cable TV provider for your set top box, or your cell phone provider in many parts of the world. The US Government agency Office of Management and Budget (OMB) has set a policy that compels all federal agencies to upgrade their network backbones to IPv6 by 2008. The US Department of Defense has set a similar policy targeting 2008.

That said, it you are not currently using IPv6 on your network and are not considering migrating to it, then It may be best from a security standpoint to disable it. Remember that because va4 and IPv6 are completely different protocols, they require separate access control mechanisms, or at least separate rules with different syntax for those mechanisms that support both. This is not just true of ip tables ip tables, but 0‘ any host based access mechanism. This creates the risk of an administrator remembering to create rules for one but not the other, providing a potential avenue for attack.

va6 support begins with a kernel module, ipv6  ko To disable IPv6 we must prevent the loading 01W module by adding the following two lines to etc modprobe confi

alias net pflo off alias ipv6 off

ii the module is loaded, active interfaces will have the default link local address automatically assigned’ These addresses are locally scoped, i.e non routable.


