IPv6 Linux Security

By | 2013/12/09

Rolling out IPv6 on Linux? Here are a few security tidbits to keep in mind.

iptables and ufw

For Linux and iptables, be aware you will be maintaining two iptables configs.

iptables for IPv4 and ip6tables for IPv6

Display iptables (IPv4) rules:

$ sudo iptables -L

Display ip6tables (IPv6) rules:

$ sudo ip6tables -L

If you use ufw (command line frontend for iptables) it handles IPv4 and IPv6 for you if the following option is enabled:



# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.

When your firewall is set, audit your hosts by running nmap over IPv6 against them:

$ sudo nmap -6 myipv6server.com

No IPv6 Support in fail2ban or denyhosts

At the moment, fail2ban is only protecting you over IPv4. Here is the bug report with discussion on IPv6 support.

Also, denyhosts does not currently support IPv6 and only protects over IPv4.

If ssh brute forcing is critical for your servers, consider using sshguard which _does_ have support for IPv6!

Another option for a workaround is to only allow ssh traffic over IPv4 in iptables or ufw.

mod_security _does_ support IPv6 but adds some additional work to create and test both IPv4 and IPv6 regex for all rules.

Configure and secure running servers or services for IPv6

On Linux most mainstream server apps are IPv6 aware and work great over IPv6. However, it is critical to look over each app’s config and make sure any configs to enable IPv6 are on and working.


Enable IPv4 and IPv6:

inet_protocols = ipv4, ipv6


Use *:443 and *:80 so virtual host configs will apply to both IPv4 and IPv6.

<Virtualhost *:443>
ServerName scottlinux.com



Listen on both IPv4 and IPv6:

listen [::]:80 ipv6only=on;
listen 80; 


Enable bind to listen on IPv6:

listen-on-v6 { any; };


Listen on both IPv4 and IPv6

ListenAddress ::

Hack on,

2 thoughts on “IPv6 Linux Security

  1. Maltris

    Thanks for this, i will add it to postfix and ssh soon. All other services are already running at dual stack mode here. đŸ˜€

    One addition:

    At nginx the vHost-Configuration for the first vHost should look like:

    listen [::]:80 default ipv6only=off;

    and all additional configurations should just contain:

    listen [::]:80;

    which enables them to run in dual stack mode. With your configuration i believe nginx is running IPv6 only.


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.