9

The current Ubuntu LTS does not support NAT tables for IPv6 (i.e. there is no ip6tables -t nat), and I'm fine with that, in fact, a NAT-less environment is the "core" of my networks.

But, the next Ubuntu LTS will add support for IPv6 NAT tables and, the problem is, I have "orders" to not allow it within my IPv6 network, I mean, we'll not support NAT66 (NAT for IPv6).

So, I need to make sure that ip6tables -t nat will not work here. How can I disable it?

Can I just blacklist some kernel modules? Sysctl?

Seth
  • 59,442
  • 44
  • 149
  • 201
ThiagoCMC
  • 869
  • 4
  • 13
  • 28

2 Answers2

6

The IPv6 NAT module is named nf_nat_ipv6, so it should be sufficient to blacklist that module.

sudo sh -c 'echo blacklist nf_nat_ipv6 >> /etc/modprobe.d/blacklist'
Community
  • 1
Michael Hampton
  • 1,860
  • 1
  • 16
  • 27
  • That blacklist technique does not work.

    nf_nat_ipv6 is there, blacklisted but, if I run "ip6tables -t nat -L -nv", the module appear.

    Please, NAT66 is totally undesired, unnecessary, and I need to make sure it is disabled.

     – ThiagoCMC Dec 30 '13 at 21:05
  • @user2512727 Probably you will need to physically remove the module, then. – Michael Hampton Dec 30 '13 at 21:09
  • 1
    But then, I'll break the package "linux-image-generic"... And after a system upgrade, that creepy module will appear again... I really don't understand why this thing is enabled by default, NAT66 is undesired. People need to get over NAT (which is just a workaround of IPv4 networks), come on Ubuntu guys... Don't do this, give me a professional way to disable NAT66... IPv6 does NOT need any kind of NAT and this will bring problems to a world (IPv6) that does not have any problems. :-P – ThiagoCMC Dec 30 '13 at 21:17
  • 4
    @user2512727 I don't get it either. This particular bit of code should never have been written, let alone deployed. – Michael Hampton Dec 30 '13 at 21:23
  • Thank you for your support Michael! I totally agree with you. I'll try to figure out the best way to disable NAT66... Happy new year! =D – ThiagoCMC Dec 30 '13 at 21:42
  • 1
    The sudo part of the command doesn't do you any good. It only applies to the echo command (which doesn't need special privileges). The redirection, which need privileges, is performed before sudo. So the command is just going to fail with bash: /etc/modprobe.d/blacklist: Permission denied. But perhaps echo blacklist nf_nat_ipv6 | sudo tee -a /etc/modprobe.d/blacklist might work better. – kasperd Mar 01 '15 at 10:14
  • 1
    @ThiagoCMC Why do you say it is enabled by default? Unless you create rules which need the module it shouldn't ever be loaded. That said I am afraid such a module will do more harm than good. The sensible usage cases for NAT66 are extremely rare. NAT66 functionality is more likely to be used by people who had too much exposure to IPv4 and now suffer from the delusion that NAT is a good idea. – rfc2460 Apr 27 '19 at 14:51
0

The proper way to blacklist modules such as this is as follows:

In your blacklist file, insert the following line, replacing "(module_name)" with the name of the module as it shows in lsmod

install (module_name) /bin/false

This is a kernel-level directive and not specific to any distribution. You can find more about the install directive in man modprobe.conf.

David Foerster
  • 36,900
  • 56
  • 98
  • 152
Speeddymon
  • 182