How to Disable IPv6 in Fedora and CentOS
2011-08-02 10:54
597 查看
实验环境:virtualbox、rhel6.0
操作:echo "install ipv6 /bin/true" > /etc/modprobe.conf ; reboot
They say that by disabling IPv6 things get a bit smoother and faster regarding networking. I don’t really know if this is true, but I guess, if you’ve decided to disable this feature, you probably care to do it the Right Way™. As far as I know, trying to disable IPv6 through anaconda during the installation of Fedora or CentOS does not turn off the IPv6 functionality completely, but it just disables it for the configured network interface. This is not actually a problem, but, why should this network layer be enabled system-wide, if you do not use it at all? This small article assists you in disabling IPv6 in the latest Fedora and CentOS releases in an aggressive and unforgiving way.
Check if the module is loaded
IPv6 functionality is being made available to the system by the ipv6 kernel module. To check if this module is currently loaded in your system, issue the following command as root:
lsmod | grep ipv6
If you see ipv6 in its output, then the module is loaded.
Performing this check is absolutely not necessary. It is included in this article for completeness.
Disable IPv6
You can prevent a module from being inserted into the kernel by either blacklisting it or by completely disabling it.
In this case, since you will most probably turn off the IPv6 firewall (ip6tables) as well, it is highly recommended to completely disable the ipv6 module, to avoid any accidental loading of the IPv6 stack without any firewall protection at the same time.
How the module blacklist works
This information about blacklisting a kernel module exists here for educational purposes. It has been mentioned above that for ipv6 it is important to completely disable it.
From the modprobe.conf man page:
Modules can contain their own aliases: usually these are aliases describing the devices they support, such as “pci:123…”. These “internal” aliases can be overridden by normal “alias” keywords, but there are cases where two or more modules both support the same devices, or a module invalidly claims to support a device: the blacklist keyword indicates that all of that particular module’s internal aliases are to be ignored.
So, blacklist indicates that a module’s aliases should be ignored. But, what happens if an application requires to load that specific module or if root uses modprobe to load it on demand? Let’s test it…
To blacklist the module, simply save the following line in a file inside /etc/modprobe.d:
blacklist ipv6
Next, disable any services that use IPv6, eg ip6tables or any IPv6-enabled network interfaces and reboot (mandatory).
After you’ve logged-in again, try, for example, to load the ipv6 module with the modprobe command (as root):
[root@centos]# modprobe -v ipv6
insmod /lib/modules/2.6.18-53.1.14.el5/kernel/net/ipv6/ipv6.ko
[root@centos]# lsmod | grep v6
ipv6 251393 8
The blacklisted module has been loaded. This is what happens if it is needed by a system service, regardless of the fact that it has been blacklisted. In the case of ipv6 this could be a security risk, provided that the ipv6 firewall has been turned off but some network interfaces still use IPv6. So, frankly, it is suggested to read on how to disable the module more aggressively…
Completely disable the ipv6 module
To completely disable IPv6 in your system, all you have to do is save the following line in a file inside /etc/modprobe.d/.
install ipv6 /bin/true
The above line means: whenever the system needs to load the ipv6 kernel module, it is forced to execute the command true instead of actually loading the module. Since /bin/true, does absolutely nothing, the module never gets loaded.
Again, it is required to reboot for the changes to take effect.
It is obvious that this is an aggressive method to disable kernel modules, but it guarantees that the module never gets loaded.
This is the recommended way to disable IPv6.
Other Configuration Tasks
Since the IPv6 functionality has been disabled, you can disable the ip6tables service (IPv6 Firewall). Issue the following command as root:
chkconfig ip6tables off
It is also a good idea, since the ip6tables service has been turned off, to disable any IPv6-related functionality in the network interface configuration. Even if you do not do this, the IPv6 stack will not be initialized because the ipv6 module cannot be loaded. But, generally, you could set the following options to “no” inside your network interface scripts, for example: /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no
Finally, In fedora 8 or newer you can safely remove the following option from the /etc/sysconfig/network file, if it exists:
NETWORKING_IPV6=no
Final Thoughts
Using the instructions above, you can completely disable IPv6 in your system. On the other hand, you should understand that IPv6 is not an evil thing… It exists in order to address certain issues. If you ever think about actually trying to configure and use it instead of just disabling it every time you install your Linux operating system, here is a good place to start…
【转:http://www.g-loaded.eu/2008/05/12/how-to-disable-ipv6-in-fedora-and-centos/】
操作:echo "install ipv6 /bin/true" > /etc/modprobe.conf ; reboot
They say that by disabling IPv6 things get a bit smoother and faster regarding networking. I don’t really know if this is true, but I guess, if you’ve decided to disable this feature, you probably care to do it the Right Way™. As far as I know, trying to disable IPv6 through anaconda during the installation of Fedora or CentOS does not turn off the IPv6 functionality completely, but it just disables it for the configured network interface. This is not actually a problem, but, why should this network layer be enabled system-wide, if you do not use it at all? This small article assists you in disabling IPv6 in the latest Fedora and CentOS releases in an aggressive and unforgiving way.
Check if the module is loaded
IPv6 functionality is being made available to the system by the ipv6 kernel module. To check if this module is currently loaded in your system, issue the following command as root:
lsmod | grep ipv6
If you see ipv6 in its output, then the module is loaded.
Performing this check is absolutely not necessary. It is included in this article for completeness.
Disable IPv6
You can prevent a module from being inserted into the kernel by either blacklisting it or by completely disabling it.
In this case, since you will most probably turn off the IPv6 firewall (ip6tables) as well, it is highly recommended to completely disable the ipv6 module, to avoid any accidental loading of the IPv6 stack without any firewall protection at the same time.
How the module blacklist works
This information about blacklisting a kernel module exists here for educational purposes. It has been mentioned above that for ipv6 it is important to completely disable it.
From the modprobe.conf man page:
Modules can contain their own aliases: usually these are aliases describing the devices they support, such as “pci:123…”. These “internal” aliases can be overridden by normal “alias” keywords, but there are cases where two or more modules both support the same devices, or a module invalidly claims to support a device: the blacklist keyword indicates that all of that particular module’s internal aliases are to be ignored.
So, blacklist indicates that a module’s aliases should be ignored. But, what happens if an application requires to load that specific module or if root uses modprobe to load it on demand? Let’s test it…
To blacklist the module, simply save the following line in a file inside /etc/modprobe.d:
blacklist ipv6
Next, disable any services that use IPv6, eg ip6tables or any IPv6-enabled network interfaces and reboot (mandatory).
After you’ve logged-in again, try, for example, to load the ipv6 module with the modprobe command (as root):
[root@centos]# modprobe -v ipv6
insmod /lib/modules/2.6.18-53.1.14.el5/kernel/net/ipv6/ipv6.ko
[root@centos]# lsmod | grep v6
ipv6 251393 8
The blacklisted module has been loaded. This is what happens if it is needed by a system service, regardless of the fact that it has been blacklisted. In the case of ipv6 this could be a security risk, provided that the ipv6 firewall has been turned off but some network interfaces still use IPv6. So, frankly, it is suggested to read on how to disable the module more aggressively…
Completely disable the ipv6 module
To completely disable IPv6 in your system, all you have to do is save the following line in a file inside /etc/modprobe.d/.
install ipv6 /bin/true
The above line means: whenever the system needs to load the ipv6 kernel module, it is forced to execute the command true instead of actually loading the module. Since /bin/true, does absolutely nothing, the module never gets loaded.
Again, it is required to reboot for the changes to take effect.
It is obvious that this is an aggressive method to disable kernel modules, but it guarantees that the module never gets loaded.
This is the recommended way to disable IPv6.
Other Configuration Tasks
Since the IPv6 functionality has been disabled, you can disable the ip6tables service (IPv6 Firewall). Issue the following command as root:
chkconfig ip6tables off
It is also a good idea, since the ip6tables service has been turned off, to disable any IPv6-related functionality in the network interface configuration. Even if you do not do this, the IPv6 stack will not be initialized because the ipv6 module cannot be loaded. But, generally, you could set the following options to “no” inside your network interface scripts, for example: /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no
Finally, In fedora 8 or newer you can safely remove the following option from the /etc/sysconfig/network file, if it exists:
NETWORKING_IPV6=no
Final Thoughts
Using the instructions above, you can completely disable IPv6 in your system. On the other hand, you should understand that IPv6 is not an evil thing… It exists in order to address certain issues. If you ever think about actually trying to configure and use it instead of just disabling it every time you install your Linux operating system, here is a good place to start…
【转:http://www.g-loaded.eu/2008/05/12/how-to-disable-ipv6-in-fedora-and-centos/】
相关文章推荐
- How to Reset Forgotten Root Password in RHEL/CentOS and Fedora
- [转载]How to Install Google Chrome 39 in CentOS/RHEL 6 and Fedora 19/18
- How to use, monitor, and disable transparent hugepages in Red Hat Enterprise Linux 6
- use noscript html tag when user disable the javascript in browser, guide user how to enable the js in different browser and retu
- How to Setup NFS (Network File System) on RHEL/CentOS/Fedora and Debian/Ubuntu
- How To Enable/Disable Archive Logging In RAC Environment for 10.2 and higher version
- How to Install PostgreSQL 9.5 on CentOS/RHEL 7/6/5 and Fedora 23/22
- How to Setup NFS (Network File System) on RHEL/CentOS/Fedora and Debian/Ubuntu
- (OK) rdesktop - How to Use Remote Desktop (rdesktop) in Redhat/Fedora/CentOS
- How to Install PostgreSQL 10 on CentOS/RHEL 7/6 and Fedora 26/25
- how to install rar and unrar in centos6.3
- Howto disable the iptables firewall and SELInux in Linux - xencao的日志 - 网易博客
- How to disable and clear query ranges in sysquery form
- howto install Oracle VirtualBox Guest Additions on Fedora, CentOS and Red Hat (RHEL).
- How to check and disable Adaptive Cursor Sharing in 11g
- How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .
- How to check and disable Adaptive Cursor Sharing in 11g
- How to disable 'withcredentials' in HTTP header with node.js and Request package?
- Install TightVNC Server in RHEL/CentOS and Fedora to Access Remote Desktops
- How to Install WineHQ 1.5.27 on Fedora, CentOS and RHEL Linux Distributions