By default, IPv6 is enabled on CentOS/RHEL 8 systems. However, in certain situations, some users may find it desirable to disable IPv6 support. This post outlines steps to disable ipv6 on a CentOS/RHEL 8 system.
For systems Using NetworkManager
For all systems that run NetworkManager, IPv6 must be disabled on each interface with the option ipv6.method set to disabled. This step must be done in addition to IPv6 being disabled using the method shown in the next section below.
# nmcli connection modify [Connection Name] ipv6.method "disabled"
Method 1: Using GRUB2
1. Disable ipv6 built-in kernel module. Edit /etc/default/grub and append ipv6.disable=1 to GRUB_CMDLINE_LINUX as shown below:
GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root ipv6.disable=1"
2. Run the grub2-mkconfig command to regenerate the grub.cfg file:
# grub2-mkconfig -o /boot/grub2/grub.cfg
Alternatively, on UEFI systems, run the following:
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
3. Reboot the system to disable IPv6 support.
# systemctl reboot
Method 2: Using sysctl
Alternatively, this can be done via the sysctl settings as well. Please be aware that this breaks SSH Xforwarding unless sshd_config contains AddressFamily inet.
1. Create a new file named /etc/sysctl.d/ipv6.conf and add the following options:
# vi /etc/sysctl.d/ipv6.conf # First, disable for all interfaces net.ipv6.conf.all.disable_ipv6 = 1 # If using the sysctl method, the protocol must be disabled all specific interfaces as well. net.ipv6.conf..disable_ipv6 = 1
2. The new settings would then need to be reloaded with:
# sysctl -p /etc/sysctl.d/ipv6.conf
3. Create a backup of the initramfs before making any changes to it:
# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).bak.$(date +%m-%d-%H%M%S).img
4. Then rebuild the Initial RAM Disk Image using:
# dracut -f -v
5. Verifying file inclusion:
# lsinitrd /boot/initramfs-[version].img | grep 'etc/sysctl.d/ipv6.conf'
6. Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address. Make backup of the file before making any changes:
# cp -p /etc/hosts /etc/hosts.disableipv6 # sed -i 's/^[[:space:]]*::/#::/' /etc/hosts
Verification
1. The current state of the ipv6 module disable option can be seen via sysfs:
# cat /sys/module/ipv6/parameters/disable 1
2. The current state of the sysctl disable_ipv6 can be seen with the sysctl command:
# sysctl -a 2>/dev/null | grep disable_ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.eth0.disable_ipv6 = 0
3. To list any IPv6 addresses assigned to the system:
# ip -6 addr
4. To list any IPv6 TCP or UDP sockets something like the following can be used:
# ss -6 -pan
The Conclusion
In case, you notice any Selinux denied messages in audit.log file such as avc: denied { module_request }, while using Method 1(GRUB2), then disable the ipv6 from /etc/sysctl.d/ipv6.conf file as shown in the Method 2. Optionally to prevent rpc* messages output after disabling ipv6, edit /etc/netconfig for the lines starting with udp6 and tcp6; change the “v” in the third column to “-“(hyphen/dash).