Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Possible to block ICMPv6 if IPv6 is disabled?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Mon May 11, 2015 8:11 pm    Post subject: Possible to block ICMPv6 if IPv6 is disabled? Reply with quote

I want to disable IPv6 completely on NIC eth1 on which a router is connected.
I already disabled IPv6 in kernel:
Code:

# cat /proc/sys/net/ipv6/conf/eth1/disable_ipv6
1

Here my simple ip6tables-rules (block all):
Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Mon May 11 21:53:29 2015
# Generated by ip6tables-save v1.4.21 on Mon May 11 21:53:29 2015
*mangle
:PREROUTING DROP [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:POSTROUTING DROP [0:0]
COMMIT

But I see still this ICMPv6 packets (router advertisements from the connected router) on eth1:
Code:

# tcpdump -v -ni eth1 icmp6
21:46:33.222310 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 255, Flags [other stateful], pref high, router lifetime 1800s, reachable time 30000s, retrans time 1000s
          prefix info option (3), length 32 (4): 2003:58:xxxx:xxxx::/64, Flags [onlink, auto], valid time 604800s, pref. time 86400s
          mtu option (5), length 8 (1):  1492
21:46:38.159864 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1 > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::1, Flags [router, override]
          destination link-address option (2), length 8 (1): <mac address of router>

I tried also
Code:

# echo 0 >/proc/sys/net/ipv6/conf/eth1/accept_ra

But that did not have effect, either.

Maybe ip6tables does not come in effect because IPv6 is disabled?


Last edited by 1970 on Mon May 11, 2015 9:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Mon May 11, 2015 8:16 pm    Post subject: Reply with quote

What's wrong with seeing packets that you don't do anything with?
You will see many packets coming in that will get ignored anyway, including these ipv6 packets. Should show up the same way that filtered ipv4 packets coming.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Tue May 12, 2015 5:40 am    Post subject: Re: Possible to block ICMPv6 if IPv6 is disabled? Reply with quote

1970 wrote:
I want to disable IPv6 completely on NIC eth1 on which a router is connected.
I already disabled IPv6 in kernel:

Did you verify it being completely disabled?
Code:
$ grep -i v6 /usr/src/linux/.config
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Tue May 12, 2015 4:59 pm    Post subject: Reply with quote

Originally I only disabled IPv6 via
Code:

$ cat /etc/sysctl.d/40-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1

while IPv6 was builtin in the kernel.
Now I removed IPv6 truly from the kernel
Code:

$ grep -i ipv6 /usr/src/linux/.config
# CONFIG_IPV6 is not set
$ zgrep -i ipv6 /proc/config.gz
# CONFIG_IPV6 is not set

There is no directory /proc/sys/net/ipv6 anymore.
But surprisingly that has no effect, either 8O
tcpdump shows still the same ICMPv6 messages.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Tue May 12, 2015 5:11 pm    Post subject: Reply with quote

As said, you will still see icmpv6 packets coming in but ignored even if you disable ipv6 from the kernel.
There's nothing you can do with it except disable ipv6 on your router.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum