22

On my Linux box, I have various daemons which can bind to all IPv6-enabled interfaces on ::. When they do so, Linux sends IPv4 requests to that daemon mapped as, for instance, ::ffff:198.51.100.37.

I would instead like IPv4 connections to be refused and only IPv6 connections accepted when a daemon binds to ::. To receive IPv4 connections, I want the daemon to have to explicitly bind to 0.0.0.0 (as well as ::).

In other words, I want to run a service exclusively on IPv6, and not on IPv4.

Is there a way to accomplish this?

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972

1 Answers1

28

This is controlled by the net.ipv6.bindv6only sysctl. Add the following to /etc/sysctl.conf and run sudo sysctl -p to effect the change.

net.ipv6.bindv6only=1

Applications can also explicitly only bind to the IPv6 address instead of changing this globally, for example, nginx has the ipv6only option to the listen directive. This corresponds to the IPV6_V6ONLY option to setsockopt().

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • Fortunately I found that the app (in this case, OpenSSH) was already setting IPV6_V6ONLY on the socket when I set `ListenAddress ::` so I didn't need to resort to using the sysctl (and reconfiguring everything else). – Michael Hampton Jul 26 '12 at 05:10