CentOSRHEL Based

How To Disable IPv6 on CentOS Stream 10

r00t

Disable IPv6 on CentOS Stream 10

Internet Protocol version 6 (IPv6) was designed as the successor to IPv4, offering an expanded address space and enhanced features. However, there are legitimate scenarios where disabling IPv6 on your CentOS Stream 10 system becomes necessary. This comprehensive guide explores various methods to disable IPv6 effectively, covering everything from simple configuration adjustments to kernel-level modifications.

Understanding IPv6 and CentOS Stream 10

IPv6 represents the most recent iteration of the Internet Protocol, utilizing 128-bit addressing compared to IPv4’s 32-bit format. This expansion creates an almost unlimited pool of available addresses (approximately 340 undecillion compared to IPv4’s 4.3 billion). Despite these advantages, IPv6 isn’t always required or desired in every environment.

CentOS Stream 10, as the upstream development platform for Red Hat Enterprise Linux, comes with comprehensive IPv6 support enabled by default. The system utilizes NetworkManager as its primary network configuration tool, managing both IPv4 and IPv6 connectivity across interfaces.

Why Disable IPv6?

Several legitimate reasons exist for disabling IPv6:

  • Application compatibility issues with legacy software
  • Network simplification in IPv4-only environments
  • Troubleshooting specific network problems
  • Security policies requiring unused protocols to be disabled
  • Performance optimization in certain scenarios

Understanding your specific requirements will help determine the most appropriate method for disabling IPv6 on your system.

Prerequisites and Preparation

Before making any changes to your network configuration, proper preparation is essential to prevent connectivity issues and ensure a smooth process.

Required Permissions

All methods in this guide require elevated privileges. You must have root access or sudo capabilities to execute these commands. Throughout this guide, we’ll assume you’re running commands with appropriate permissions.

Backing Up Network Configurations

Always create backups of critical configuration files before modification:

# Back up sysctl configuration
cp /etc/sysctl.conf /etc/sysctl.conf.backup

# Back up network scripts
cp -r /etc/sysconfig/network-scripts/ /etc/sysconfig/network-scripts.backup

# Back up SSH configuration
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Back up GRUB configuration
cp /etc/default/grub /etc/default/grub.backup

Checking Current IPv6 Status

Verify your system’s current IPv6 status to establish a baseline:

# Check for IPv6 addresses
ip a | grep inet6

If the command returns output showing IPv6 addresses (typically starting with “fe80::”), IPv6 is currently enabled.

# Examine current sysctl IPv6 parameters
sysctl -a | grep ipv6

This information will be valuable for comparing before and after states when implementing changes.

Method 1: Disabling IPv6 Using sysctl.conf

The sysctl approach provides a flexible method to disable IPv6 without requiring a system reboot in most cases. This technique works by adjusting kernel parameters that control IPv6 functionality.

Understanding sysctl Parameters for IPv6

The Linux kernel exposes several parameters through the sysctl interface that control IPv6 behavior. The most relevant for disabling IPv6 include:

  • net.ipv6.conf.all.disable_ipv6: Controls IPv6 for all interfaces
  • net.ipv6.conf.default.disable_ipv6: Sets the default for new interfaces
  • net.ipv6.conf.lo.disable_ipv6: Controls IPv6 specifically for the loopback interface

Setting these parameters to 1 disables IPv6 functionality for the corresponding scope.

Step-by-Step Implementation

  1. Create a new sysctl configuration file: 
    nano /etc/sysctl.d/70-ipv6-disable.conf
  2. Add the following lines to disable IPv6 completely: 
    net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
  3. Save the file and exit the editor.
  4. Apply the changes immediately: 
    sysctl -p /etc/sysctl.d/70-ipv6-disable.conf

    Some sources recommend using sysctl --system to apply all sysctl configurations.

  5. Verify the changes took effect: 
    sysctl net.ipv6.conf.all.disable_ipv6

    The output should show net.ipv6.conf.all.disable_ipv6 = 1.

Making the Changes Persistent

To ensure your changes persist across system reboots:

  1. Verify the sysctl configuration is properly loaded at boot: 
    ls -la /etc/sysctl.d/
  2. Test persistency by restarting the NetworkManager service: 
    systemctl restart NetworkManager
  3. Check IPv6 status after service restart: 
    ip a | grep inet6

    No IPv6 addresses should be displayed if properly disabled.

Method 2: Disabling IPv6 Using Kernel Parameters with Grubby

Disabling IPv6 at the kernel level offers a more comprehensive approach, ensuring that the IPv6 module isn’t loaded during system startup. This method uses the grubby utility, which is the preferred tool for managing boot parameters in CentOS Stream 10.

What is Grubby?

Grubby is a command-line tool that updates bootloader configuration files for all installed kernels without directly editing the complex GRUB configuration files. It provides a safer, more standardized way to modify boot parameters in Red Hat-based distributions like CentOS Stream 10.

Step-by-Step Implementation

  1. Check your current kernel parameters: 
    grubby --info=ALL | grep args

    This displays the current kernel parameters for all installed kernels.

  2. Add the IPv6 disable parameter to all kernels: 
    grubby --update-kernel=ALL --args="ipv6.disable=1"

    This adds ipv6.disable=1 to the kernel command line for all installed kernels.

  3. Verify the parameter was added correctly: 
    grubby --info=ALL | grep ipv6

    You should see ipv6.disable=1 listed in the arguments for each kernel.

  4. Rebuild the initial ramdisk (initramfs): 
    dracut -f

    This ensures the necessary configurations are included in the initramfs.

  5. Reboot the system to apply the changes: 
    systemctl reboot
  6. Verify IPv6 is disabled after reboot: 
    ip a | grep inet6

    If no output appears, IPv6 has been successfully disabled.

Alternative: Disabling IPv6 for the Default Kernel Only

If you prefer to disable IPv6 only for the current default kernel:

grubby --update-kernel=DEFAULT --args="ipv6.disable=1"

This applies the change only to the default kernel rather than all installed kernels.

Method 3: Network Interface Configuration for IPv6 Disabling

Instead of disabling IPv6 system-wide, you might prefer to disable it on specific network interfaces. This approach provides more granular control, especially in complex network environments.

Understanding Network Interface Configurations

CentOS Stream 10 primarily uses NetworkManager to manage network interfaces. The nmcli tool allows viewing and modifying network configurations from the command line.

Step-by-Step Implementation

  1. List available network connections: 
    nmcli connection show

    Note the NAME or UUID of the connection you want to modify.

  2. Check the current IPv6 configuration for the connection: 
    nmcli connection show "connection-name" | grep ipv6

    Replace “connection-name” with your connection’s name.

  3. Disable IPv6 for a specific connection:For CentOS Stream 10 (newer versions of NetworkManager): 
    nmcli connection modify "connection-name" ipv6.method "disabled"

    For older versions of NetworkManager:

    nmcli connection modify "connection-name" ipv6.method "ignore"
  4. Remove any existing IPv6 addresses and gateway: 
    nmcli connection modify "connection-name" ipv6.addresses "" ipv6.gateway ""
  5. Apply the changes by reactivating the connection: 
    nmcli connection down "connection-name"
nmcli connection up "connection-name"
  6. Verify IPv6 is disabled for the interface: 
    ip addr show dev interface-name | grep inet6

    Replace “interface-name” with your actual interface name (like eth0, ens192, etc.).

Disabling IPv6 for All Interfaces At Once

To disable IPv6 on all active interfaces with a single command:

for CONN in $(nmcli -t -f NAME connection show --active); do
    nmcli connection modify "$CONN" ipv6.method "disabled" ipv6.addresses "" ipv6.gateway ""
    nmcli connection down "$CONN" && nmcli connection up "$CONN"
done

This script automatically finds all active connections and disables IPv6 for each of them.

Method 4: Configuring SSH for IPv4-only Operation

Even after disabling IPv6 using one of the previous methods, you might need to explicitly configure SSH to operate exclusively over IPv4. This step is particularly important for remote administration to prevent connection issues or lockouts.

Why SSH Configuration Matters

The OpenSSH daemon (sshd) service is crucial for remote system administration. By default, it listens on both IPv4 and IPv6 addresses. When IPv6 is disabled, SSH might still attempt to use IPv6 sockets, which can cause connection delays or failures.

Step-by-Step SSH Configuration

  1. Back up the SSH configuration file: 
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
  2. Edit the SSH daemon configuration file: 
    nano /etc/ssh/sshd_config
  3. Add or modify the AddressFamily parameter: 
    AddressFamily inet

    The parameter values can be:

    • inet: IPv4 only
    • inet6: IPv6 only
    • any: Both IPv4 and IPv6 (default)
  4. Check the configuration for syntax errors: 
    sshd -t
  5. Restart the SSH service to apply changes: 
    systemctl restart sshd

    Important: Do not disconnect from your current SSH session until you verify the new configuration works.

  6. Verify SSH is listening only on IPv4: 
    ss -tulnp | grep ssh

    You should see only IPv4 addresses (starting with 0.0.0.0 or specific IPv4 addresses).

Verifying IPv6 Is Properly Disabled

After implementing one or more methods to disable IPv6, thorough verification is essential to ensure it has been completely disabled across your system.

Command-Line Verification Techniques

Use these commands to check whether IPv6 has been successfully disabled:

  1. Check for IPv6 addresses on all interfaces: 
    ip -6 addr

    or

    ip addr | grep inet6

    If IPv6 is completely disabled, these commands should produce no output.

  2. Verify kernel IPv6 parameters: 
    sysctl net.ipv6.conf.all.disable_ipv6

    A value of 1 indicates IPv6 is disabled.

  3. Check if IPv6 module is loaded: 
    lsmod | grep ipv6
  4. Examine network interfaces for IPv6 configuration: 
    nmcli connection show | grep ipv6
  5. Check listening network services: 
    ss -tulnp | grep -i ':::'

    No services should be listening on IPv6 addresses.

Testing Application Behavior

Beyond command-line verification, test how applications behave without IPv6:

  1. Test DNS resolution: 
    dig AAAA google.com
  2. Test outbound connectivity: 
    ping6 ipv6.google.com

    This should fail if IPv6 is properly disabled.

  3. Check system services that might use IPv6: 
    systemctl status NetworkManager
journalctl -u NetworkManager | grep -i ipv6

Proper verification ensures that your IPv6 disabling implementation is complete and effective across all system components and applications.

Performance and Security Considerations

Disabling IPv6 on your CentOS Stream 10 system has several implications for both performance and security that should be carefully considered.

Performance Impacts

Disabling IPv6 can affect system performance in several ways:

  • Reduced Protocol Overhead: Without IPv6, the system processes fewer network packets, potentially reducing CPU usage on busy servers.
  • DNS Resolution Improvements: Applications will only request A records (IPv4) instead of both A and AAAA (IPv6) records, potentially speeding up DNS resolution.
  • Connection Establishment: Services that previously attempted IPv6 connections before falling back to IPv4 will connect directly via IPv4, eliminating connection delays in IPv4-only networks.

However, be aware of potential negative performance impacts:

  • Future Compatibility: As networks increasingly adopt IPv6, systems with IPv6 disabled may require additional configuration or face connectivity issues.
  • Dual-Stack Optimization: Modern operating systems are optimized for dual-stack operation, and disabling IPv6 might not provide significant performance benefits on recent hardware.

Security Considerations

Disabling IPv6 has several security implications:

  • Reduced Attack Surface: Eliminating IPv6 reduces potential attack vectors, particularly in environments where IPv6 security controls are less mature than IPv4 controls.
  • Simplified Firewall Rules: Security policies become easier to implement and maintain when only IPv4 traffic needs to be considered.
  • Monitoring Clarity: Network monitoring and intrusion detection systems only need to analyze IPv4 traffic, potentially improving visibility.

However, disabling IPv6 also introduces security considerations:

  • Missing Security Updates: Some security features in modern networks leverage IPv6. Disabling it might prevent access to these security enhancements.
  • Security by Obscurity: Relying solely on disabling IPv6 as a security measure is insufficient; proper security controls should be implemented regardless of IP protocol version.

Troubleshooting Common Issues

When disabling IPv6 on CentOS Stream 10, you might encounter various issues. This section addresses common problems and provides practical solutions.

IPv6 Reappearing After System Updates

One of the most common issues is IPv6 becoming re-enabled after system updates. This typically happens because:

  • Kernel updates may reset boot parameters
  • Package updates might modify network configurations
  • System services might be reconfigured during updates

Solution:

  1. Re-check your configuration after major system updates: 
    ip a | grep inet6
sysctl net.ipv6.conf.all.disable_ipv6
  2. Reapply your chosen disabling method if IPv6 has been re-enabled.
  3. Consider implementing multiple disabling methods for redundancy.

Application-Specific Problems

Some applications might encounter issues when IPv6 is disabled:

  • Connection timeouts or delays
  • Error messages related to address family
  • Services failing to start properly

Solution:

  1. Check application logs for specific error messages: 
    journalctl -u service-name | grep -i ipv6
  2. Modify application configurations to explicitly use IPv4 where possible.

Network Service Failures

Network-related services might fail to start or function correctly:

  • NetworkManager showing errors
  • Firewall services failing to load rules
  • DNS resolution issues

Solution:

  1. Restart network services after disabling IPv6: 
    systemctl restart NetworkManager
systemctl restart firewalld
  2. Check service dependencies on IPv6.

How to Re-enable IPv6 When Needed

There may be situations where you need to re-enable IPv6 after previously disabling it. This section provides instructions for reversing each disabling method.

Reversing the sysctl Method

If you used the sysctl method to disable IPv6, follow these steps to re-enable it:

  1. Edit the sysctl configuration file: 
    nano /etc/sysctl.d/70-ipv6-disable.conf
  2. Change the parameter values from 1 to 0: 
    net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
  3. Apply the changes immediately: 
    sysctl -p /etc/sysctl.d/70-ipv6-disable.conf
  4. Verify IPv6 is re-enabled: 
    sysctl net.ipv6.conf.all.disable_ipv6
ip a | grep inet6

Reversing the Kernel Parameter Method

If you used the grubby utility to add kernel parameters, follow these steps:

  1. Remove the IPv6 disable parameter: 
    grubby --update-kernel=ALL --remove-args="ipv6.disable=1"
  2. Rebuild the initramfs: 
    dracut -f
  3. Reboot the system: 
    systemctl reboot
  4. Verify IPv6 is re-enabled after reboot: 
    ip a | grep inet6

Reversing Network Interface Configuration Changes

If you disabled IPv6 on specific interfaces:

  1. Re-enable IPv6 on each connection: 
    nmcli connection modify "connection-name" ipv6.method "auto"
  2. Apply the changes: 
    nmcli connection down "connection-name"
nmcli connection up "connection-name"

Reversing SSH Configuration Changes

If you configured SSH for IPv4-only operation:

  1. Edit the SSH configuration file: 
    nano /etc/ssh/sshd_config
  2. Change the AddressFamily parameter: 
    AddressFamily any
  3. Restart the SSH service: 
    systemctl restart sshd

Best Practices and Expert Recommendations

Drawing from industry expertise and real-world experience, this section outlines best practices for managing IPv6 on CentOS Stream 10 systems.

When to Disable vs. When to Keep IPv6

Consider disabling IPv6 when:

  • Your network infrastructure has no IPv6 support and no plans to implement it
  • You’re experiencing specific application compatibility issues related to IPv6
  • Security policies explicitly require disabling unused protocols
  • Troubleshooting indicates IPv6 is causing network problems

Keep IPv6 enabled when:

  • Your organization has an IPv6 deployment roadmap
  • You’re using modern applications that benefit from IPv6 features
  • Your cloud or hosting provider supports IPv6 natively
  • You’re developing or testing applications that will need IPv6 compatibility

Enterprise Environment Considerations

In enterprise settings, additional factors should influence your IPv6 strategy:

  1. Standardization: Create a consistent approach to IPv6 across your infrastructure rather than making ad-hoc changes to individual systems.
  2. Change Management: Document all IPv6 configuration changes within your change management system, including justification and testing results.
  3. Monitoring Integration: Ensure monitoring systems properly alert on unexpected IPv6 activity if it should be disabled.
  4. Security Compliance: Verify that disabling IPv6 aligns with security frameworks your organization follows, such as CIS benchmarks or NIST guidelines.

Alternative Approaches to IPv6 Management

Instead of completely disabling IPv6, consider these alternatives:

  1. Selective Interface Disabling: Keep IPv6 enabled on internal interfaces but disable it on public-facing ones.
  2. Firewall Control: Use firewall rules to block unwanted IPv6 traffic while keeping the protocol enabled.
  3. Priority Adjustment: Configure the system to prefer IPv4 over IPv6 when both are available.
  4. Container Isolation: Use containerization to isolate applications that have IPv6 compatibility issues.

Congratulations! You have successfully disabled IPv6. Thanks for using this tutorial to disable the IPv6 in CentOS Stream 10 Linux system. For additional help or useful information, we recommend you check the official CentOS Linux website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button