How to disable ipv6 icmp redirects?

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 7
IPv6 / ICMPv6

Issue

We would like our host to ignore incoming ICMPv6 redirect messages. What options do we have?

Resolution

This solution is concerned with ICMPv6 redirects only. For ICMP please visit How to disable icmp redirects?

We can ignore ICMPv6 redirects by:
1. Creation of firewall rule
2. Setting kernel parameters (sysctl)
3. Disabling IPv6

1. Creation of firewall rule

Disclaimer: this solution requires careful consideration of firewall ruleset in your environment. Please proceed only if you are certain, that newly added rule won't interfere with already applied ones.

Requirements: Firewalld is running

a) firewall drops ICMPv6 redirects globally

# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 --icmpv6-type 137 -j DROP

b) firewall drops ICMPv6 redirects for eth0 interface only

# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -i eth0 -p icmpv6 --icmpv6-type 137 -j DROP

To apply in runtime any of the above rules, reload of firewalld is required.

# firewall-cmd --reload
# firewall-cmd --direct --get-all-rules

2. Setting kernel parameters (sysctl)

Snippet from kernel docs:

    accept_redirects - BOOLEAN
        Accept Redirects.

    Functional default: enabled if local forwarding is disabled.
                disabled if local forwarding is enabled.

Logic behind ignoring ICMPv6 redirects is different from one used with IPv4. To
make host ignore ICMPv6 redirects we must either:

a) run host as a IPv6 gateway (enable IPv6 forwarding)

# Enable forwarding for an <interface> and ignore ICMPv6 redirects
net.ipv6.conf.<interface>.forwarding=1                             
                                      
# Enable forwaridng for all interfaces and ignore ICMPv6 redirects
net.ipv6.conf.all.forwarding=1

b) disable ICMPv6 redirects per interface

# Disable ICMPv6 redirects explicitly for <interface>
net.ipv6.conf.<inteface>.accept_redirects=0

To make permanent sysctl changes:

Create /etc/sysctl.d/ipv6.conf and save there any of the above settings:
Apply settings sysctl --system

Note: setting net.ipv6.conf.{all, default}.accept_redirects has no effect. If you want to ignore ICMPv6 redirects on more interfaces, you need to do so explicitly for each one of them or turn on global forwarding as shown above.

3. Disabling ipv6

It makes system ignore ICMPv6 redirects, but could be considered as too radical in most cases. For more information on this please visit:
How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?

SBR

Networking

Product(s)

Red Hat Enterprise Linux

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.