Command Center

How do I perform dns lookup under Linux or UNIX or Apple OS X operating systems without using 3rd party web sites for troubleshooting DNS usage?

You can use any one of the following dns lookup utility under Linux / UNIX. You can skip all 3rd party websites and use the following to debug your dns servers and lookup issues:
[a] host command - DNS lookup utility.
[b] dig command - DNS lookup utility.
Both commands will allow you to get answer to various dns queries such as the IP address (A), mail exchanges (MX), name servers (NS), text annotations (TXT), or ANY (all) type.

host DNS Lookup Examples

host command is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host command displays a short summary of its command line arguments and options. The syntax is as follows:

host example.com
host -t TYPE example.com
host -t a example.com

Task: Find Out the Domain IP

$ host -t a cyberciti.biz
Sample outputs:

cyberciti.biz has address 75.126.153.206

Task: Find Out the Domain Mail Server

$ host -t mx cyberciti.biz
Sample outputs:

cyberciti.biz mail is handled by 2 CYBERCITI.BIZ.S9A2.PSMTP.com.
cyberciti.biz mail is handled by 3 CYBERCITI.BIZ.S9B1.PSMTP.com.
cyberciti.biz mail is handled by 4 CYBERCITI.BIZ.S9B2.PSMTP.com.
cyberciti.biz mail is handled by 1 CYBERCITI.BIZ.S9A1.PSMTP.com.

Task: Find Out the Domain Name Servers

$ host -t ns cyberciti.biz
Sample outputs:

cyberciti.biz name server ns2.nixcraft.net.
cyberciti.biz name server ns1.nixcraft.net.
cyberciti.biz name server ns5.nixcraft.net.
cyberciti.biz name server ns4.nixcraft.net.

Task: Find Out the Domain TXT Recored (e.g., SPF)

$ host -t txt cyberciti.biz
Sample outputs:

cyberciti.biz descriptive text "v=spf1 a mx ip4:74.86.48.99 ip4:74.86.48.98 ip4:74.86.48.102 ip4:74.86.48.101 ip4:74.86.48.100 ip4:72.26.218.170 ip4:93.89.92.12 ip4:180.92.186.178 include:_spf.google.com ~all"

Task: Find Out the Domain CNAME Record

$ host -t cname files.cyberciti.biz
Sample outputs:

files.cyberciti.biz is an alias for files.cyberciti.biz.edgesuite.net.

Task: Find Out the Domain SOA Record

$ host -t soa cyberciti.biz
Sample outputs:

cyberciti.biz has SOA record ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600

Task: Query Particular Name Server

Query ns2.nixcraft.net:
$ host cyberciti.biz ns2.nixcraft.net
Sample outputs:

Using domain server:
Name: ns2.nixcraft.net
Address: 75.126.168.152#53
Aliases: 

cyberciti.biz has address 75.126.153.206
cyberciti.biz has IPv6 address 2607:f0d0:1002:51::4
cyberciti.biz mail is handled by 3 CYBERCITI.BIZ.S9B1.PSMTP.com.
cyberciti.biz mail is handled by 4 CYBERCITI.BIZ.S9B2.PSMTP.com.
cyberciti.biz mail is handled by 1 CYBERCITI.BIZ.S9A1.PSMTP.com.
cyberciti.biz mail is handled by 2 CYBERCITI.BIZ.S9A2.PSMTP.com.

Task: Display All Information About Domain Records and Zone

You need to pass the -a (all) option and asking host command to make a query of type ANY:
$ host -a cyberciti.biz
OR
$ host -t any cyberciti.biz
Sample outputs:

Trying "cyberciti.biz"
;; Truncated, retrying in TCP mode.
Trying "cyberciti.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34079
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cyberciti.biz.   IN ANY

;; ANSWER SECTION:
cyberciti.biz.  3423 IN AAAA 2607:f0d0:1002:51::4
cyberciti.biz.  3600 IN SOA ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600
cyberciti.biz.  3600 IN TXT "v=spf1 a mx ip4:74.86.48.99 ip4:74.86.48.98 ip4:74.86.48.102 ip4:74.86.48.101 ip4:74.86.48.100 ip4:72.26.218.170 ip4:93.89.92.12 ip4:180.92.186.178 include:_spf.google.com ~all"
cyberciti.biz.  3600 IN MX 2 CYBERCITI.BIZ.S9A2.PSMTP.com.
cyberciti.biz.  3600 IN MX 3 CYBERCITI.BIZ.S9B1.PSMTP.com.
cyberciti.biz.  3600 IN MX 4 CYBERCITI.BIZ.S9B2.PSMTP.com.
cyberciti.biz.  3600 IN MX 1 CYBERCITI.BIZ.S9A1.PSMTP.com.
cyberciti.biz.  2805 IN A 75.126.153.206
cyberciti.biz.  3423 IN NS ns2.nixcraft.net.
cyberciti.biz.  3423 IN NS ns5.nixcraft.net.
cyberciti.biz.  3423 IN NS ns1.nixcraft.net.
cyberciti.biz.  3423 IN NS ns4.nixcraft.net.
cyberciti.biz.  84092 IN RRSIG NSEC 8 2 86400 20101125013720 20101026010313 50568 biz. OjDv09mccTZR2bYCl4D57QcnNEkBq6bNEa20ExsI6NC2sI9pmiKLnq+w UnCYxWMnkMi7WNXwIhhUWtNhV48X3wJGj1Mufrhq8MnO25JIcRE6UJF2 y12TTZHHE0UJV6HSkw1sac3XlZKXLi/oSvE/IXTsdj2SckPh+pMlaieQ jAA=
cyberciti.biz.  84092 IN NSEC CYBERCITIZEN.biz. NS RRSIG NSEC

Received 749 bytes from 192.168.1.254#53 in 0.1 ms

Task: Use IPv6 Query Transport

Test your dns lookup using IPv6 query transport (you must have IPV6 based connectivity including IPv6 enabled resolving name servers):

$ host -6 cyberciti.biz
$ host -6 -a cyberciti.biz
$ host -6 cyberciti.biz ns1.nixcraft.net
$ host -6 -t ns cyberciti.biz ns3.nixcraft.net

Sample outputs:

Using domain server:
Name: ns3.nixcraft.net
Address: 2001:48c8:10:1::2#53
Aliases: 

cyberciti.biz name server ns2.nixcraft.net.
cyberciti.biz name server ns4.nixcraft.net.
cyberciti.biz name server ns5.nixcraft.net.
cyberciti.biz name server ns1.nixcraft.net.

Task: Reverse IP Lookup

Type the command:
$ host {IP-Address-Here}
$ host 75.126.153.206
Sample outputs:

206.153.126.75.in-addr.arpa domain name pointer www.cyberciti.biz.

Task: Get TTL Information

Type the command as follows:
$ host -v -t {TYPE} {example.com}
$ host -v -t a cyberciti.biz
$ host -v -t a i.hexindia.net
Sample outputs:

Trying "cyberciti.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17431
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 7

;; QUESTION SECTION:
;cyberciti.biz.   IN A

;; ANSWER SECTION:
cyberciti.biz.  1866 IN A 75.126.153.206

;; AUTHORITY SECTION:
cyberciti.biz.  3850 IN NS NS1.NIXCRAFT.NET.
cyberciti.biz.  3850 IN NS NS4.NIXCRAFT.NET.
cyberciti.biz.  3850 IN NS NS5.NIXCRAFT.NET.
cyberciti.biz.  3850 IN NS NS2.NIXCRAFT.NET.

;; ADDITIONAL SECTION:
NS1.NIXCRAFT.NET. 85669 IN A 72.26.218.170
NS1.NIXCRAFT.NET. 85689 IN AAAA 2001:48c8:7::2
NS2.NIXCRAFT.NET. 85669 IN A 75.126.168.152
NS2.NIXCRAFT.NET. 85669 IN AAAA 2607:f0d0:1002:51::3
NS4.NIXCRAFT.NET. 85669 IN A 93.89.92.12
NS4.NIXCRAFT.NET. 85669 IN AAAA 2a01:348:0:15:5d59:50c:0:1
NS5.NIXCRAFT.NET. 85669 IN AAAA 2001:48c8:10:1::2

Received 291 bytes from 10.0.80.11#53 in 2 ms

If you run the same command again, you’ll notice that the TTL number (1866) reduced.

dig DNS Lookup Examples

dig (domain information groper) or host command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. hos dns lookup tool have less functionality than dig.

Examples

dig @{ns1.example.com} {example.com}
dig @{ns1.example.com} {example.com} {TYPE}
dig cyberciti.biz a
dig cyberciti.biz mx
dig cyberciti.biz ns
dig cyberciti.biz txt
dig @ns1.nixcraft.net cyberciti.biz a

Task: Trace Usage

See how domains are resolved using root servers i.e. turn on tracing of the delegation path from the root name servers for the name being looked up. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup:
$ dig +trace cyberciti.biz
Sample outputs:

<<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +trace cyberciti.biz
;; global options:  printcmd
.   41219 IN NS b.root-servers.net.
.   41219 IN NS e.root-servers.net.
.   41219 IN NS i.root-servers.net.
.   41219 IN NS d.root-servers.net.
.   41219 IN NS g.root-servers.net.
.   41219 IN NS k.root-servers.net.
.   41219 IN NS l.root-servers.net.
.   41219 IN NS c.root-servers.net.
.   41219 IN NS m.root-servers.net.
.   41219 IN NS a.root-servers.net.
.   41219 IN NS h.root-servers.net.
.   41219 IN NS j.root-servers.net.
.   41219 IN NS f.root-servers.net.
;; Received 436 bytes from 10.0.80.11#53(10.0.80.11) in 2 ms

biz.   172800 IN NS h.gtld.biz.
biz.   172800 IN NS c.gtld.biz.
biz.   172800 IN NS e.gtld.biz.
biz.   172800 IN NS b.gtld.biz.
biz.   172800 IN NS g.gtld.biz.
biz.   172800 IN NS a.gtld.biz.
biz.   172800 IN NS f.gtld.biz.
;; Received 316 bytes from 192.228.79.201#53(b.root-servers.net) in 34 ms

cyberciti.biz.  7200 IN NS NS5.NIXCRAFT.NET.
cyberciti.biz.  7200 IN NS NS1.NIXCRAFT.NET.
cyberciti.biz.  7200 IN NS NS2.NIXCRAFT.NET.
cyberciti.biz.  7200 IN NS NS4.NIXCRAFT.NET.
;; Received 115 bytes from 2001:503:8028:ffff:ffff:ffff:ffff:ff7e#53(h.gtld.biz) in 23 ms

cyberciti.biz.  3600 IN A 75.126.153.206
cyberciti.biz.  3600 IN NS ns4.nixcraft.net.
cyberciti.biz.  3600 IN NS ns5.nixcraft.net.
cyberciti.biz.  3600 IN NS ns1.nixcraft.net.
cyberciti.biz.  3600 IN NS ns2.nixcraft.net.
;; Received 307 bytes from 2001:48c8:10:1::2#53(NS5.NIXCRAFT.NET) in 222 ms

Task: Get Only Short Answer

A quick way to just get the answer is to type the following command:
$ dig +short cyberciti.biz
Sample outputs:

75.126.153.206

Task: Display All Records

$ dig +noall +answer cyberciti.biz any
Sample outputs:

cyberciti.biz.  3490 IN A 75.126.153.206
cyberciti.biz.  2733 IN NS NS2.NIXCRAFT.NET.
cyberciti.biz.  2733 IN NS NS1.NIXCRAFT.NET.
cyberciti.biz.  2733 IN NS NS4.NIXCRAFT.NET.
cyberciti.biz.  2733 IN NS NS5.NIXCRAFT.NET.
cyberciti.biz.  85668 IN RRSIG NSEC 8 2 86400 20101125013720 20101026010313 50568 biz. OjDv09mccTZR2bYCl4D57QcnNEkBq6bNEa20ExsI6NC2sI9pmiKLnq+w UnCYxWMnkMi7WNXwIhhUWtNhV48X3wJGj1Mufrhq8MnO25JIcRE6UJF2 y12TTZHHE0UJV6HSkw1sac3XlZKXLi/oSvE/IXTsdj2SckPh+pMlaieQ jAA=
cyberciti.biz.  85668 IN NSEC CYBERCITIZEN.biz. NS RRSIG NSEC

Task: Reverse IP Lookup

Type the following command:
$ dig -x +short {IP-Address-here}
$ dig -x 75.126.153.206 +short
Sample outputs

www.cyberciti.biz.

Task: Find Domain SOA Record

$ dig +nssearch cyberciti.biz
Sample outputs:

SOA ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600 from server ns5.nixcraft.net in 81 ms.
SOA ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600 from server ns4.nixcraft.net in 216 ms.
SOA ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600 from server ns1.nixcraft.net in 347 ms.
SOA ns1.nixcraft.net. vivek.nixcraft.com. 2008072353 10800 3600 604800 3600 from server ns2.nixcraft.net in 316 ms.

Task: Find Out TTL Value Using dig

$ dig +nocmd +noall +answer {TYPE} {example.com}
$ dig +nocmd +noall +answer a cyberciti.biz
Sample outputs:

cyberciti.biz.  1642 IN A 75.126.153.206

Run again, enter:
$ dig +nocmd +noall +answer a cyberciti.biz
Sample outputs:

cyberciti.biz.  1629 IN A 75.126.153.206

See also:

See man page for more information:
man dig
man host

REFERENCES
http://www.cyberciti.biz/faq/unix-linux-dns-lookup-command/

This summary is not available. Please click here to view the post.

As many of you know, we are running out of IPv4 addresses, 800 days is what is left for IANA's global pool of available IPv4 addresses. It's not the question if we will going to run out, it's more a matter of when is it going to happen in 2010 or 2011? This is not to far away from now, so it is time to think about the consequences? At a first glance it doesn't seem to impact us, BC universities or BCNET much. We have more than enough IPv4 addresses left, so what's the problem here?
Obviously there's an immediate problem for new Internet users like startup companies who need address space for their products. And let's not forget about developing countries that are in high demand of IP addresses. Also think about future developments such as every cell phone with an IP address, that would greatly increase the demand for IP addresses. So yes there's a real problem for those cases, the only 'real' solution for them is to use IPv6, basically because they have no other choice.

Now just think one step further. What does that mean if the new youtube can't get IPv4 addresses? yes it will probably use IPv6 addresses. And guess what, our students of course want to be able to reach this "new youtube", but they can't because we (universities in BC) only provide IPv4 access because we thought we didn't have a problem with IPv4 addresses. And all of a sudden we do need IPv6 access! Not because we have a shortage of addresses, but because other parts of the world do have a shortage and we want to be able to communicate with all hosts on the Internet. Imagine a future student for example in china or japan wants to visit the UBC website for information about our programs. But guess what, they can't reach our IPv4 website, because they only have IPv6 access from home or new Iphone. Just a few examples of the need for IPv6 support also in parts of the Internet where we have enough addresses for future use.

What would you answer your CTO if he/she asks you what your IPv6 plans are? "Eeh plan??, I thought that was something for researchers only?" No, IPv6 is no longer a research project and we shouldn't look at it like that. We don't start upgrading our networks to 10gbs when the links are congested, we plan ahead, so that this doesn't happen. They same should be the case for IPv6. We shouldn't wait till the problem presents its self and forcing us to come up with a solution. It's exactly the same for IPv6, we should carefully plan this and gradually roll out IPv6 support and the time to do that is now.

Some of you might have heard translation mechanism. I wouldn't want to bet on IPv4 -IPv6 translation mechanisms (comparable to NAT) which are currently being standardized. If circumstances allow you you really want to go for native (dualstack) connectivity. BCNET is IPv6 ready and we can connect your universities today! Today is the day to start testing, experimenting so that next year you'll be ready to serve your costumers with IPv6 connectivity. Remember that IPv6 is not an extra fancy feature like multicast, it's going to be basic functionality soon, very soon!

Reference: https://wiki.bc.net/atl-conf/display/~atoonk/2008/11/12/The+time+for+IPv6+is+now!

Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs. If you'd like a demonstration, watch this video that we created.

For some background information, you may want to review Wikipedia's definition of IPv6 and our blog entry explaining why you should care about it. This post is primarily for users who may have IPv6 on their systems but have not actually deployed it.

To investigate IPv6 tunnels' effect on firewalls, we created a test to see how an IPv6 Teredo-compatible tunnel can be used to trivially bypass an IPv4-only firewall. The video referenced in the first paragraph shows our whole exercise in real time. We used a typical iptables firewall and appended the following rules to reject TCP connections that have the string "google" anywhere in the packet:

iptables -A OUTPUT -p tcp -m string --algo bm --string "google" -j REJECT
iptables -A INPUT -p tcp -m string --algo bm --string "google" -j REJECT

The rules work; browser connections to www.google.com fail. But the rules produce a large number of false positives, won't catch HTTPs connections, and are "expensive" to process, so don't paste them into your iptables script.

Lines 1-5 of this packet capture show exactly how the REJECT rule works (connections are closed, not discarded). There are also some interesting packets on lines 6 and 7. The packets in these lines are IPv6 packets being transported by IPv4 UDP. More specifically, the lines show a router solicitation (us asking for an IPv6 address) and a router advertisement (a router offering an IP prefix).

To see what happens when we browse to an IPv6-enabled website, let's go to http://ipv6.google.com. Looking at the capture file, you can see that the connection was successful. The HTTP GET string was transferred inside of a UDP packet and didn't trigger the iptables rules that were searching for that string inside of TCP packets (line 22).

We've illustrated the potential problem, but what about a solution? Trying to block ports can be effective but is likely to only work for specific brokers who are using the expected ports. Consider the following alternatives:

* IPv6-aware host-based firewalls can be effective. In our example, calling the ip6tables rules below would have blocked connections to http://ipv6.google.com.

ip6tables -A OUTPUT -p tcp -m string --algo bm --string "google" -j REJECT
ip6tables -A INPUT -p tcp -m string --algo bm --string "google"-j REJECT
*

If you're trying to block IPv6 tunnels on the network, you could look for router advertisements or solicitations. Those messages are sent to the all-nodes multicast address ff02::1. Here is an un-optimized example iptables rule that uses iptables:

iptables -I FORWARD 1 -p udp --dport 1024: -m string --hex-string "|ff 02 00 00 00 00 00 00 00 00 00 00 00 00 00 02|" --algo bm -j REJECT

One of our readers pointed out that blocking local IPv6 traffic could cause an operating system to activate an IPv6 tunnel. He is correct; however, this rule should not interfere with native IPv6—it only applies to IPv4 UDP connections that are going between two interfaces (the FORWARD chain).

*

We've heard that IPFilter development version 5.06 will decapsulate IPv6 in IPv4 packets and apply filtering rules. The following syntax, which we haven't tested, might block IPv6 in IPv4 tunnels:

decapsulate in on bge0 family inet6 proto ip all head ipinip6
block in all group ipinip6

*

Evan Wright from our Network Situational Awareness team pointed out that blocking protocols at border routers can stop some types of IPv6 connectivity. Using access control lists at border routers to block protocols 41 (used by 6to4), 43, 44, 58, 59, 60, and 192.88.99.1 (default anycast address of some 6to4 systems) would be a good place to start. Shown as an iptables example, it would look like this:

iptables -A FORWARD -p 41 -j REJECT
iptables -A FORWARD -p 43 -j REJECT
iptables -A FORWARD -p 44 -j REJECT
iptables -A FORWARD -p 58 -j REJECT
iptables -A FORWARD -p 59 -j REJECT
iptables -A FORWARD -p 60 -j REJECT

These examples may not directly apply to your network, but hopefully they illustrated the problem and gave you some suggestions that you can use as a starting point for improving the security of your firewalls.


Reference: http://www.cert.org/blogs/vuls/2009/04/bypassing_firewalls_with_ipv6.html

Managing IPv6 - Part 1
By Ryan Giobbi on August 19, 2009 10:07 AM | Permalink

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded.

The following are some of the reasons why an administrator would want to disable IPv6:

* Many networks have IPv6 connectivity running on their LAN but do not have IPv6 WAN connectivity. Programs may see the connectivity on the LAN and unsuccessfully attempt to use IPv6 to connect to remote IPv6-enabled servers.
* Local IPv6 traffic might be able to bypass IDS systems or other low-layer network defenses.
* Operating systems may obtain global (publicly reachable) IPv6 addresses by creating tunnels.
* Running an additional protocol increases a system's attack surface.
* Global addressing restores end-to-end connectivity.

There are also more than a couple of reasons why an administrator wouldn't want to disable IPv6 connectivity:

* The network has full IPv6 connectivity, and software on the network actively uses some of the features (usually the large pool of global addresses) found only in IPv6.
* Network services running on the LAN are actively using IPv6.
* The network is designed to be a "dump pipe," and the administrator is expected to not interfere with passing traffic.
* Global addressing restores end-to-end connectivity.

Below are instructions for disabling IPv6 on some popular operating systems. At the bottom of the entry are links to scripts that you can run from the command line.



Disabling IPv6 via firewalls or access control lists

To disable IPv6 at a router or firewall, block protocols 41, 43, 44, 58, 59, and 60 as well as UDP ports 3544 and 3545. This firewall policy will likely miss some tunneled and non-routed IPv6 traffic (such as Teredo-compatible tunnels on non-standard ports) running on the local network.

There is too much variation in firewall syntax for us to list rules for every vendor; instead, we've written a few rules in Cisco's ACL syntax and included an ip6tables script linked at the bottom of this page.

access-list ipv6 deny 41 any any
access-list ipv6 deny 43 any any
access-list ipv6 deny 44 any any
access-list ipv6 deny 58 any any
access-list ipv6 deny 59 any any
access-list ipv6 deny 60 any any
access-list ipv6 deny udp any any eq 3544
access-list ipv6 deny udp any any eq 3545



Disabling IPv6 on Windows XP and Server 2003

The easiest way to disable IPv6 on Windows XP and Server 2003 is to run this command from a prompt with administrator privileges and reboot:

netsh.exe interface ipv6 uninstall



Disabling IPv6 on Windows Vista and Server 2008

The IPv6 protocol cannot be uninstalled from Windows Vista. The most effective way of disabling it is to edit the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents]
"Compatibility Flags"=dword:0xFFFFFFFF

If you don't want to edit the registry, the following netsh commands will effectively block IPv6. Note to administrators: using the "domain profile" feature of the Windows firewall will allow you to create rules that block IPv6 connectivity based on whether the user is authenticated to your domain.

netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=out action=block
netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=in action=block
netsh advfirewall firewall add rule name "IPv6" action=block protocol=41 dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 43" protocol=43 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 44" protocol=44 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 58" protocol=58 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 59" protocol=59 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 60" protocol=60 action=block dir=out



Disabling IPv6 on Red Hat Enterprise Linux 5

1. Edit /etc/sysctl.conf
2. Append "net.ipv6.conf.all.disables_ipv6 = 1"
3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disables_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disables_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

1. Edit /etc/modprobe.conf
2. Append "alias net-pf-10 off"
3. Execute the command "modprobe -a" as root

For those of you who really want to disable IPv6, add these lines to your iptables scripts:

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

ip6tables -I INPUT -p all -j DROP
ip6tables -I OUTPUT -p all -j DROP



Disabling IPv6 on Ubuntu Linux (version 9.04)

1. Edit /etc/sysctl.conf
2. Append "net.ipv6.conf.all.disable_ipv6 = 1"
3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disable_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disable_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

1. Edit /etc/modprobe.d/blacklist
2. Append "blacklist ipv6"
3. Execute the command "modprobe -a" as root

Ubuntu users who run UFW can check /etc/default/ufw. If IPV6=no, you can block IPv6 connectivity with this command:

sudo ufw disable && sudo ufw enable



Scripts

Here are files you can use to disable IPv6. As with all scripts, make sure you understand the implications before running these on your system.

* ip6tables router/firewall shell script
* batch file to disable on Windows XP and Server 2003
* reg file to disable IPv6 on Windows Vista and Server 2008 (Microsoft has published instructions on how to import. Also see the instructions in the solution section of TA09-020A.)




Reference: http://www.cert.org/blogs/vuls/2009/08/managing_ipv6_part_i.html




Managing IPv6 - Part 2


Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings.

Administrators and developers who work with IPv4 will notice that IPv6 has made some changes beyond offering many more addresses than IPv4. The following are some of the changes that have security impacts:

* Many hosts that currently have private IPv4 addresses will have global, publicly reachable addresses.
* ICMPv6 contains much of the functionality of DHCP in IPv4 and cannot easily be entirely filtered.
* IPv6 addresses can be predictable or partially random. Modern operating systems allow both, and there is a tradeoff between system management ease of use and user privacy.

These changes can cause problems. For example, a host that accepts any ICMPv6 type can be fingerprinted easily from remote systems. That might not be a problem for some networks, but it could be critical for others.

There are ways for administrators to handle these challenges. The examples below aren't universally applicable, so use them as a general guide.



Managing networks using global IPv6 addresses

Globally reachable addresses are not "hidden" in the same way as NAT addresses. To filter traffic destined to these clients, administrators can use application-layer proxy servers, stateful network filtering, or host-based firewalls.

Below is an example of filtering traffic to a globally reachable IPv6 address. For the purpose of these rules, 2001:1::/64 is the local network, eth0 is the LAN interface on a firewall, eth1 is the WAN interface on the firewall, and 2001:3::1 is an IPv6 address on the internet.

ip6tables -A FORWARD -p tcp -i eth0 -s 2001:1::/64 -p tcp -j ACCEPT
ip6tables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -p tcp -i eth1 --dport 3389 -s 2001:3::1 -j ACCEPT
ip6tables -A FORWARD -p tcp -i eth1 -m state --state NEW,INVALID -j DROP

The following is an explanation of what's happening in these rules, based on the behavior of a typical router doing NAT.

ip6tables -A FORWARD -p tcp -i eth0 -s 2001:1::/64 -p tcp -j ACCEPT
Pass any traffic that has entered on our LAN's ethernet interface (-i eth0) and that has a source address in the range our LAN is using (2001:1::/64).

ip6tables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Pass any traffic that is part of an existing connection.

ip6tables -A FORWARD -p tcp -i eth1 --dport 3389 -s 2001:3::1 -j ACCEPT
Allow any traffic coming into our WAN interface (-i eth1) to pass through to our LAN if it matches the TCP port used for RDP (--dport 3389).

ip6tables -A FORWARD -p tcp -i eth1 -m state --state NEW,INVALID -j DROP
Drop all other traffic.

After configuring the firewall, administrators should test the ruleset to confirm it is working as expected. Two commonly used tools that can test IPv6 TCP and UDP policies are nmap and netcat6.

Building on the example above, let's imagine that a user logs into a host with IP address 2001:1::2/64 and starts a netcat listener on port 3389:

$ netcat6 -l -p 3389

A scan of that IP from any host on the internet other than 2001:3::1 should fail. This result can be verified with an nmap comand:

$ nmap -PN -sT 2001:1::2/64 -p 3389

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-02 14:32 EDT
Interesting ports on 2001:1::2:
PORT STATE SERVICE



Filtering selected ICMPv6 types

The ICMPv6 protocol includes some great functionality. IANA maintains a list of ICMPv6 types and codes.

It is hard to make general statements about which ICMPv6 types should be allowed or denied. The following chart provides some guidance about reasonable firewall policies applied to ICMPv6 types. The types are listed based on whether or not the ICMPv6 type can typically be allowed or denied.
ICMPv6 types typically safe to allow
Purpose/Comments
1, Destination Unreachable general connectivity testing
2, Packet Too Big

sent by routers to notify a node that it should fragment the packets
3, Time Exceeded protects against routing loops
4, Parameter Problem error messages and handling
128, Echo Request ping
129, Echo Reply ping reply
133, Router Solicitation sent by clients to the all-nodes multicast address to request an IP address assignment
134, Router Advertisement

sent by routers to the all-nodes multicast address; clients can use the information in this message to generate an address
135, Neighbor Solicitation queries nodes for IP and connectivity information
136, Neigbor Advertisement

sends IP and connectivity information to other nodes

ICMPv6 types that can typically be denied
Purpose/Comments
137, Redirect

alerts clients to send traffic to another router, presumably one with a more direct route to the destination; like other ICMPv6 types listed, these messages are unauthenticated and could be malicious
138, Router Renumbering automatic reconfiguration of routers
139, Node Information Query allows a host to be fingerprinted
140, Node Information Response allows a host to be fingerprinted
151-154 deny by default
others not yet used, deny by default


We've talked about filtering ICMPv6 types before, so there's no reason to discuss it again. Instead, let's focus on some test case generation options.

There don't seem to be many tools that can generate arbitrary ICMPv6 packets. One of the more commonly used tools is ping6 or ping -6. The ping command sends an echo request message to an individual IPv6 address. Creating arbitrary ICMPv6 types requires a different tool.

Newer versions of the scapy packet crafting tool can be used to generate most ICMPv6 types. Here's an example of typical scapy usage:

# scapy
Welcome to Scapy (2.0.1-dev)
>>> a=IPv6(dst="2001:1::2")/ICMPv6ND_Redirect()
>>> send(a)

To list the available ICMPv6 types (layers), use the ls() command:

>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
...
ICMPerror : ICMP in ICMP
ICMPv6DestUnreach : ICMPv6 Destination Unreachable
ICMPv6EchoReply : ICMPv6 Echo Reply
ICMPv6EchoRequest : ICMPv6 Echo Request
ICMPv6HAADReply : ICMPv6 Home Agent Address Discovery Reply
ICMPv6HAADRequest : ICMPv6 Home Agent Address Discovery Request
ICMPv6MLDone : MLD - Multicast Listener Done
ICMPv6MLQuery : MLD - Multicast Listener Query
ICMPv6MLReport : MLD - Multicast Listener Report
...

To view what parameters a layer will take, use the ls() command again:

>>> ls(ICMPv6ND_Redirect())
type : ByteEnumField = 137 (137)
code : ByteField = 0 (0)
cksum : XShortField = None (None)
res : XIntField = 0 (0)
tgt : IP6Field = '::' ('::')
dst : IP6Field = '::' ('::')

This information can be used when creating packets to allow greater control over specific packets:

a=IPv6(dst="2001:1::2")/ICMPv6ND_Redirect(tgt="2001:1::3")



Disabling/enabling privacy extensions

Currently, IPv6 addresses are typically assigned via stateless autoconfiguration, DHCPv6 or static assignment.

With stateless autoconfiguration, an operating system is expected to generate part (usually the lower 64-bits) of its address. If privacy extensions are enabled, the generated address will be pseudo-random. This is good for privacy but makes remote management difficult.

On Windows Server 2008, privacy extensions can be controlled with a netsh command:

C:\> netsh interface ipv6 privacy enabled|disabled

Linux users should check /proc/sys/net/ip6/conf (the exact location varies between distributions and kernel versions).

Testing the address status of other systems on the same Ethernet segment is possible, assuming that echo requests and replies are accepted on those machines. If the following commands run on a Linux system produce predictable addresses, privacy extensions are disabled:

$ ping6 -B -I eth0 -I [global IPv6 address attached to eth0] ff02::1
$ ip neighbor

Windows users can use these commands:

C:\> ping -S [global IPv6 address] -6 ff02::2
C:\> netsh interface ipv6 show neighbors


Reference: http://www.cert.org/blogs/vuls/2009/10/managing_ipv6_-_part_2.html

* Social Web
* Email
* Close

Digg
Slashdot
Fark
Stumble
Reddit
MIXX
del.icio.us
Newsvine
Technorati
Facebook

Twitter
Your Name:
Your Email Address:
Recipient(s) Email Address:
(Comma separation for multiple addresses)
Your Message:


Invisible IPv6 traffic poses serious network threat
Odds are you have hidden tunnels on your network carrying IPv6 traffic--and possibly IPv6-based attacks
By Carolyn Duffy Marsan , Network World , 07/13/2009
Newsletter Signup

* Share/Email
* Tweet This
* Comment
* Print

IPv6 — the next-generation Internet protocol — isn't keeping too many U.S. CIOs and network managers up worrying at night. But perhaps it should.

View our slideshow on The Evolution of the Internet
See what's driving a Florida university to IPv6.

Experts say that most U.S. organizations have hidden IPv6 traffic running across their networks, and that few network managers are equipped to see, manage or block it. Increasingly, this rogue IPv6 traffic includes attacks such as botnet command and controls.

"If you aren't monitoring your network for IPv6 traffic, the IPv6 pathway can be used as an avenue of attack," says Tim LeMaster, director of systems engineering for Juniper's federal group. "What network managers don't understand is that they can have a user running IPv6 on a host and someone could be sending malicious traffic to that host without them knowing it."

Related Content

Most U.S. network managers are blind to rogue IPv6 traffic because they don't have IPv6-aware firewalls, intrusion detection systems or network management tools. Also, IPv6 traffic is being tunneled over IPv4 connections and appears to be regular IPv4 packets unless an organization has deployed security mechanisms that can inspect tunneled traffic. (See also: 5 of the biggest IPv6-based threats facing CIOs.)

"At least half of U.S. CIOs have IPv6 on their networks that they don't know about, but the hackers do," says Yanick Pouffary, technology director for the North American IPv6 Task Force and an HP Distinguished Technologist. "You can't ignore IPv6. You need to take the minimum steps to secure your perimeter. You need firewalls that understand IPv4 and IPv6. You need network management tools that understand IPv4 and IPv6."

"Although they're not thinking about IPv6, for most of the Fortune 500, it's in their networks anyways," agrees Dave West, director of systems engineering for Cisco's public sector group. "You may not see IPv6 today as a business driver. But like it or not, you are running IPv6 in your network."

IPv6 is the long-anticipated upgrade to the Internet's main communications protocol, known as IPv4. IPv6 features vastly more address space, built-in security and enhanced support for streaming media and peer-to-peer applications. Available for a decade, IPv6 has been slow to catch on in the United States. Now that unallocated IPv4 addresses are expected to run out in 2011, the pressure is on U.S. carriers and corporations to deploy IPv6 in the next few years.

IPv6-based threats are not well understood, but they are becoming more prominent. For example, the issue of IPv6-based attacks was raised at a June meeting of the National Security Telecommunications Advisory Committee, a high-level industry group that advises the White House about cybersecurity.

"We are seeing quite a bit of command and control traffic that is IPv6," says Jason Schiller, senior Internet network engineer, global IP network engineering for the public IP network at Verizon Business. "Hackers are trying to leverage IPv6 to fly under the radar. We're seeing a lot of bot networks where the command and control is under IPv6. We're also seeing illegal file sharing that leverages IPv6 for peer-to-peer communications."

Rogue IPv6 traffic is an emerging threat for network managers. The biggest risk is for organizations that have decided to delay IPv6 deployment because they don't see a business driver for the upgrade – a category that includes most U.S. corporations.

U.S. federal agencies are in a better position to protect themselves against IPv6-based threats because they have enabled IPv6 across their backbone networks. Federal agencies are moving ahead with plans to integrate IPv6 into their enterprise architectures and capital investments.

Rogue IPv6 traffic "is a very real threat," says Sheila Frankel, a computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST).

"People can have IPv6 running on their networks and not know it. Computers and other devices can ship with IPv6 turned on. Ideally, if you're not prepared to protect against IPv6, it should be turned off for all the devices on your network. You need to be prepared to block it at your perimeter. You want to block it coming in and going out," Frankel says.

Frankel recommends that organizations that don't want to run IPv6 in production mode buy firewalls and intrusion-prevention systems that can block both native and tunneled IPv6 traffic.

"You should be blocking not only pure IPv6 traffic but also IPv6 traffic tunneled inside of other traffic," Frankel says. "Network operators have to be aware of the ways IPv6 would normally be tunneled in IPv4 traffic and in the different types of transition mechanisms, and they have to become aware of the rules necessary to block these various classes of traffic."

Where does rogue IPv6 traffic come from?

IPv6 traffic gets on your network because many operating systems–including Microsoft Vista, Windows Server 2008, Mac OS X, Linux and Solaris — ship with IPv6 enabled by default. Network managers have to disable IPv6 on every device that they install on their networks or these devices are able to receive and send IPv6 traffic.

"We're probably talking about 300 million systems that have IPv6 enabled by default," estimates Joe Klein, director of IPv6 Security at Command Information, an IPv6 consultancy. "We see this as a big risk."

Experts say it's likely that network managers will forget to change the IPv6 default settings on some desktop, server or mobile devices on their networks. At the same time, most organizations have IPv4-based firewalls and network management tools that don't automatically block IPv6 traffic coming into their networks.

"The most common IPv6-based attacks that we're seeing right now are when you have devices on the edge of your network that are dual stack, which means they're running IPv4 and IPv6. If you only have an IPv4 firewall, you can have IPv6 running between you and the attacker," Klein says. "The attacker is going through your firewall via IPv6, which at that point is wide open."


Page 2 of 2

Another common problem is IPv6 traffic tunneled over IPv4 using such techniques as Teredo, which is supported by Microsoft, or the alternative 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) approaches.

"The typical IPv4 security devices are not tuned to look for IPv6 tunnels," Klein says. "They offer very weak defense, which is kind of scary."

Klein says the only way network managers can discover IPv6 devices on their network is to run IPv6. Even then, it's extremely difficult to discover IPv6 tunnels.

"You might be able to find the top three tunnels but not all the other sub-tunnels," Klein says. "You can tunnel IPv6 over HTTP over IPv4. How are you going to find that?"

Related Content

To battle these threats, Command Information is offering software called Assure6, which operates in conjunction with deep packet inspection systems to identify IPv6 traffic tunneled over IPv4. Similarly, the McAfee Network Security Platform offers full IPv6 and tunnel inspection. Cisco and Juniper offer IPv6-enabled routers, firewalls and other systems that allow network managers to set IPv6-related security policies.

Klein says he gets one or two calls a month from organizations that have been attacked through rogue IPv6 traffic.

"One of our honeypots that we have set up saw a botnet using an IPv6-only attack," Klein says. "It was hiding itself as IPv4 through our router, and it was attacking and issuing command and controls to a botnet in the Far East."

The number of IPv6 attacks is small but growing, LeMaster says.

"There are fewer people that have IPv6 enabled, so it's not as rich a target as IPv4," LeMaster adds. "The majority of the vulnerabilities are over HTTP. They're application related, where IPv6 is just the transport for those security concerns."

Frankel says IPv6-based threats are common enough that every network manager needs a plan for mitigating them.

"Nobody today will deny that they have to do something about viruses or about spam," Frankel adds. "It's fair to say that rogue IPv6 traffic is in this category of threats that's going to hit you if you ignore it."
To block or not to block IPv6

Experts disagree about whether it's best for network managers to block IPv6 traffic or to enable IPv6 traffic for monitoring purposes.

Most say that if an organization isn't prepared to support IPv6, it should block IPv6 traffic coming into and leaving its network using IPv6-enabled routers, firewalls, intrusion-prevention systems and intrusion-detection systems.

Network managers "should be creating policies…that look for IPv6 traffic and if they see it to drop that packet," LeMaster says. "Within their security incident manager solution they need to look at the profiles of traffic coming into their network. They need that visibility. If they see IPv6 traffic, they need to find out what host it's coming from or going to, and turn that traffic off."

But these experts admit that blocking IPv6 traffic is a temporary solution because a growing number of your customers and business partners will be supporting IPv6.

"If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats."

Long term, the better solution is to start running IPv6 so you can gain visibility into your IPv6 traffic and experience with the new protocol, experts say.

"We don't recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you've got to plan, train and implement IPv6," says Lisa Donnan, vice president of advanced technology solutions at Command Information.

Cisco recommends that its customers adopt the same security policies for IPv4 and IPv6, and that these policies be implemented using a layered approach.

"Configuration management, configuration control and policy are going to be pretty critical now as all of these IPv6 devices just show up on the network," West says. "Configuration management may be the largest threat we have around IPv6."

Frankel says now is the time for corporations to start training staff in IPv6 and getting experience with IPv6 so they can protect themselves against IPv6-based attacks.

"Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats," Frankel says. "The other thing they should do is to take their outward-facing servers, those that are external to the corporation's firewalls, and enable IPv6 on them. That way customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process."

IPv6 is "coming," Frankel says. "The best way is to face it head on and to decide you're going to do it in the most secure manner possible."


Reference: http://www.networkworld.com/news/2009/071309-rogue-ipv6.html?page=2

#!/bin/sh
#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Unprivileged ports.
PHIGH="1024:65535"

# Common SSH source ports.
PSSH="1000:1023"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc


#------------------------------------------------------------------------------
# Mitigate ARP spoofing/poisoning and similar attacks.
# For details see:
# * http://en.wikipedia.org/wiki/ARP_spoofing
# * http://www.grc.com/nat/arp.htm
#------------------------------------------------------------------------------

# Hardcode static ARP cache entries here (e.g. for the network gateway).
# $ARP -s IP-ADDRESS MAC-ADDRESS


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: We turn this on and off to reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

# Drop everything by default.
# Note: The default policies are set _before_ flushing the chains, to prevent
# a short timespan between flushing the chains and setting policies where
# any traffic would be allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
# Packets will simply pass through these tables unchanged.
# TODO: What happens if the modules aren't loaded?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# TODO: Correct? Remove this?
# $IPTABLES -t raw -P PREROUTING ACCEPT
# $IPTABLES -t raw -P OUTPUT ACCEPT


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
# Set the default policies (drop everything).
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null

# The mangle table can pass everything through unaltered (we don't use it).
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null

# Delete all (non-builtin) user-defined chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null

# Zero all packet and byte counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT

# A custom chain which only allows minimal (RELATED) ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG


#------------------------------------------------------------------------------
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
# For details see:
# * http://tools.ietf.org/html/792
# * http://tools.ietf.org/html/1122
# * http://www.iana.org/assignments/icmp-parameters
# * http://www.daemon.be/maarten/icmpfilter.html
#------------------------------------------------------------------------------

# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.

# TODO: This section needs a lot of testing!

# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG

# Allow all ESTABLISHED ICMP traffic.
# TODO: Tighten this some more?
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

# Allow some parts of the RELATED ICMP traffic, block the rest.
# TODO: FORWARD?
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Allow outgoing ICMP echo requests (ping), but only rate-limited.
# TODO: Really do rate limiting here?
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
# For details see:
# * http://www.debian.org/doc/manuals/securing-debian-howto/
# * ftp://ftp.isi.edu/in-notes/rfc1122.txt

# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
# Note: This may prevent you from performing certain scans. Also, see above
# comment about ICMP packets being erroneously marked as INVALID instead of
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# This is not needed, as we use policy DROP for FORWARD, and we disabled
# ip_forward anyways. However, if we would use NAT, INVALID packets would
# bypass our rules, so we block them explicitly here, just in case.
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
# TODO: Test.
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# Note: You could easily block valid traffic, e.g. if your ISP uses private
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
# For details see:
# * ftp://ftp.iana.org/assignments/ipv4-address-space
# * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing NTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT

# Allow outgoing requests to various proxies. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT

# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
--sport 67:68 --dport 67:68 -j ACCEPT

# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# Allow outgoing Bacula (http://www.bacula.org) requests.
# Unencrypted (usually), use with care.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT

# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

# TODO: ICQ, ...


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow incoming DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow incoming HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow incoming HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow incoming POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow incoming POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow incoming SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow incoming SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow incoming FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT

# Allow incoming Bacula (http://www.bacula.org) requests.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT


#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------

# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG


#------------------------------------------------------------------------------
# Testing the firewall.
#------------------------------------------------------------------------------

# You should check/test that the firewall really works, using for example
# iptables -vnL, nmap, ping, telnet, ...


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

Reference: http://usalug.org/phpBB2/viewtopic.php?t=13265

They say that by disabling IPv6 things get a bit smoother and faster regarding networking. I don’t really know if this is true, but I guess, if you’ve decided to disable this feature, you probably care to do it the Right Way™. As far as I know, trying to disable IPv6 through anaconda during the installation of Fedora or CentOS does not turn off the IPv6 functionality completely, but it just disables it for the configured network interface. This is not actually a problem, but, why should this network layer be enabled system-wide, if you do not use it at all? This small article assists you in disabling IPv6 in the latest Fedora and CentOS releases in an aggressive and unforgiving way.
Check if the module is loaded

IPv6 functionality is being made available to the system by the ipv6 kernel module. To check if this module is currently loaded in your system, issue the following command as root:

lsmod | grep ipv6

If you see ipv6 in its output, then the module is loaded.

Performing this check is absolutely not necessary. It is included in this article for completeness.
Disable IPv6

You can prevent a module from being inserted into the kernel by either blacklisting it or by completely disabling it.

In this case, since you will most probably turn off the IPv6 firewall (ip6tables) as well, it is highly recommended to completely disable the ipv6 module, to avoid any accidental loading of the IPv6 stack without any firewall protection at the same time.
How the module blacklist works

This information about blacklisting a kernel module exists here for educational purposes. It has been mentioned above that for ipv6 it is important to completely disable it.

From the modprobe.conf man page:

Modules can contain their own aliases: usually these are aliases describing the devices they support, such as “pci:123…”. These “internal” aliases can be overridden by normal “alias” keywords, but there are cases where two or more modules both support the same devices, or a module invalidly claims to support a device: the blacklist keyword indicates that all of that particular module’s internal aliases are to be ignored.

So, blacklist indicates that a module’s aliases should be ignored. But, what happens if an application requires to load that specific module or if root uses modprobe to load it on demand? Let’s test it…

To blacklist the module, simply save the following line in a file inside /etc/modprobe.d:

blacklist ipv6

Next, disable any services that use IPv6, eg ip6tables or any IPv6-enabled network interfaces and reboot (mandatory).

After you’ve logged-in again, try, for example, to load the ipv6 module with the modprobe command (as root):

[root@centos]# modprobe -v ipv6
insmod /lib/modules/2.6.18-53.1.14.el5/kernel/net/ipv6/ipv6.ko
[root@centos]# lsmod | grep v6
ipv6 251393 8

The blacklisted module has been loaded. This is what happens if it is needed by a system service, regardless of the fact that it has been blacklisted. In the case of ipv6 this could be a security risk, provided that the ipv6 firewall has been turned off but some network interfaces still use IPv6. So, frankly, it is suggested to read on how to disable the module more aggressively…
Completely disable the ipv6 module

To completely disable IPv6 in your system, all you have to do is save the following line in a file inside /etc/modprobe.d/.

install ipv6 /bin/true

The above line means: whenever the system needs to load the ipv6 kernel module, it is forced to execute the command true instead of actually loading the module. Since /bin/true, does absolutely nothing, the module never gets loaded.

Again, it is required to reboot for the changes to take effect.

It is obvious that this is an aggressive method to disable kernel modules, but it guarantees that the module never gets loaded.

This is the recommended way to disable IPv6.
Other Configuration Tasks

Since the IPv6 functionality has been disabled, you can disable the ip6tables service (IPv6 Firewall). Issue the following command as root:

chkconfig ip6tables off

It is also a good idea, since the ip6tables service has been turned off, to disable any IPv6-related functionality in the network interface configuration. Even if you do not do this, the IPv6 stack will not be initialized because the ipv6 module cannot be loaded. But, generally, you could set the following options to “no” inside your network interface scripts, for example: /etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=no
IPV6_AUTOCONF=no

Finally, In fedora 8 or newer you can safely remove the following option from the /etc/sysconfig/network file, if it exists:

NETWORKING_IPV6=no

Final Thoughts

Using the instructions above, you can completely disable IPv6 in your system. On the other hand, you should understand that IPv6 is not an evil thing… It exists in order to address certain issues. If you ever think about actually trying to configure and use it instead of just disabling it every time you install your Linux operating system, here is a good place to start…
The How to Disable IPv6 in Fedora and CentOS by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at www.g-loaded.eu.

Reference: http://www.g-loaded.eu/2008/05/12/how-to-disable-ipv6-in-fedora-and-centos/


RedHat / Centos Disable IPv6 Networking
Our policy and network configuration does not requires IPv6 support in RHEL / CentOS / Fedora Linux. How do I prevent the kernel module from loading at boot time and disable IPv6 networking?

You can easily prevent the kernel module from loading by updating the following two files:

1. /etc/modprobe.conf - Kernel driver configuration file.
2. /etc/sysconfig/network - RHEL / CentOS networking configuration file.

/etc/modprobe.conf

Edit /etc/modprobe.conf, enter:
# vi /etc/modprobe.conf
Append the following line:

install ipv6 /bin/true

Save and close the file.
/etc/sysconfig/network

Edit /etc/sysconfig/network, enter:
# vi /etc/sysconfig/network
Update / add as follows:


NETWORKING_IPV6=no
IPV6INIT=no


Save and close the file. Restart networking service
# service network restart
# rmmod ipv6
Alternatively, simple reboot the box:
# reboot
Verify IPv6 is disabled, enter:
# lsmod | grep ipv6
# /sbin/ifconfig

Reference: http://www.cyberciti.biz/faq/redhat-centos-disable-ipv6-networking/



8. How do I disable IPv6?

* Edit /etc/sysconfig/network and set "NETWORKING_IPV6" to "no"
* Add the following to /etc/modprobe.conf :

alias ipv6 off
alias net-pf-10 off

*

Run chkconfig ip6tables off to disable the IPv6 firewall
* Reboot the system

Alternative (which might be easier and works on any release with /etc/modprobe.d):

echo "install ipv6 /bin/true" > /etc/modprobe.d/disable-ipv6

* With the 5.4 update symbol/ipv6 module dependency capabilities have been introduced; therefore, if IPv6 has been previously disabled as above an upgrade to the bonding driver in 5.4 will result in the bonding kernel module failing to load. For the module to load properly use instead:

echo "options ipv6 disable=1" > /etc/modprobe.d/disable-ipv6

Reference: http://wiki.centos.org/FAQ/CentOS5




How do I disable the IPv6 protocol in Red Hat Enterprise Linux?
Release Found: Red Hat Enterprise Linux 4 and later



Red Hat Enterprise Linux 4 and 5 enable Internet Protocol Version 6 (IPv6) by default. However, in certain situations, some users may find it desirable to disable IPv6 support.



Disabling IPv6 Support Red Hat Enterprise Linux 4



If the following line exists in the /etc/modprobe.conf file, remove it:



alias net-pf-10 ipv6



Add the following line to the /etc/modprobe.conf file:



alias net-pf-10 off



Reboot the system to disable IPv6 support.



Re-enabling IPv6 Support Red Hat Enterprise Linux 4



Remove the following line from the /etc/modprobe.conf file.



alias net-pf-10 off



You must reboot the system to activate IPv6 support.


Disabling IPv6 Support Red Hat Enterprise Linux 5



If the following line exists in the /etc/modprobe.conf file, remove it:



alias net-pf-10 ipv6



Add the following line to the /etc/modprobe.conf file:



alias net-pf-10 off



In versions of Red Hat Enterprise Linux before 5.4, add the following line to the /etc/modprobe.conf file:



alias ipv6 off



In Red Hat Enterprise Linux 5.4 and later, add the following line to the /etc/modprobe.conf file:



options ipv6 disable=1



To prevent errors during the network initscript start routine, change the NETWORKING_IPV6 parameter in the /etc/sysconfig/network file to the following:



NETWORKING_IPV6=no



For completeness, it is a good idea to configure the ip6tables service not to start at boot by issuing the following command:



chkconfig ip6tables off



Once both the alias net-pf-10 off and alias ipv6 off lines are present in the /etc/modprobe.conf file and NETWORKING_IPV6=no is set in the /etc/sysconfig/network file, reboot the system to disable IPv6 support.



Re-enabling IPv6 Support Red Hat Enterprise Linux 5



To re-enable IPv6 on Red Hat Enterprise Linux 5 systems, remove the following lines from the /etc/modprobe.conf file:



alias net-pf-10 off

alias ipv6 off



Set the following parameter in the /etc/sysconfig/network file:



NETWORKING_IPV6=yes



Re-enable ipv6tables by issuing the following command:



chkconfig ip6tables on



You must reboot the system to activate IPv6 support.

Reference: http://kbase.redhat.com/faq/docs/DOC-8711