system configuration - Red Hat based systems
The requirements and recommended techniques for disabling ipv6 have changed frequently. Much of the advice found online today is either outdated or simply bad advice. Some of suggestions may work with some versions of an OS under certain configurations but not others.
If you do not need IPv6 support and are determined to disable it the following should work for most versions and configurations of RHEL5 and RHEL6. The appropriate approach is to administratively disable IPv6. As a general rule, you should no longer try to prevent the IPv6 module from loading since it is a dependency for a number of other components (e.g., bonding). In fact, as an aside, with some distributions and builds IPv6 is no longer a separate module but part of the kernel.
Any potential change should be carefully reviewed and evaluated before being implemented and confirmed following patching or upgrades.
RHEL6 Systems
Create a new file under /etc/modprobe.d with a name such as ipv6.conf and add the indicated line.
- vi /etc/modprobe.d/ipv6.conf
options ipv6 disable=1
Set appropriate permissions and ownership on the new file as necessary.
- chown root:root /etc/modprobe.d/ipv6.conf
- chmod 644 /etc/modprobe.d/ipv6.conf
Next review the /etc/sysconfig/network file. If the entry 'NETWORKING_IPV6=yes' exists change it to 'NETWORKING_IPV6=no'
- vi /etc/sysconfig/network
NETWORKING_IPV6=no
You should also check the ifcfg interface configuration files in /etc/sysconfig/network-scripts to see if any of these contain ipv6 configuration settings. If they do it is possible this configuration may need to be changed. I have not needed to but your configuration may be different. At the very least you should be aware of what is in these files in case you have an issue so you will know to investigate further if required.
As long as you are confident that your changes are correct and that IPv6 addresses are not going to get assigned to the host you can disable IPv6 iptables. Use caution and give careful consideration to this change, especially on a publicly accessible system, to ensure you are not negatively impacting security now or in the future.
- chkconfig ip6tables off
If you are running Postfix you may see a warning when Postfix starts if IPv6 is not enabled. This appears to be harmless but to eliminate the warning add the following to the /etc/postfix/main.cf file if it does not already exist in the file. Simply appending the new option to the end of file is acceptable.
- echo "inet_protocols = ipv4" >> /etc/postfix/main.cf
Reboot - If possible simply reboot the system to implement the changes. This will test your configuration and is the easiest way to dissassociate any existing ipv6 addresses from the interfaces.
- shutdown -r now
Note: You likely will see the following message as result of a system boot. This is OK and is expected. The above configuration changes are intended to achieve this result.
IPv6: Loaded, but administratively disabled, reboot required to enable
RHEL5 Systems
Disabling IPv6 on current RHEL5 systems is essentially the same as for RHEL6 with the following exceptions.
Instead of creating a new file under /etc/modprobe.d (e.g., /etc/modprobe.d/ipv6.conf) edit the /etc/modprobe.conf file and add the following line to the end of the file.
- vi /etc/modprobe.conf
options ipv6 disable=1
By default RHEL5 uses Sendmail instead of Postfix so you can ignore the Postfix section above. Complete the rest of the steps as outlined for RHEL6 above.
No comments:
Post a Comment