Binding to ipv6 instead of ipv4

Problem: Most services are binding to an ipv6 port rather than ipv4. I see this for puppet, foreman-proxy, etc. We are not using ipv6. How do I change the bindings?

Expected outcome: All service bind with ipv4 ports.

Foreman and Proxy versions: foreman - 2.1.3-1

Foreman and Proxy plugin versions: 2.1.3-1

Distribution and version: CentOS 7.7

Other relevant data: katello - 3.16.1-1

If you are not using IPv6, what is the problem?

I think that most if not all services today bind to IPv6. Can you show where it actually binds?

the httpd ports for example are binding to ipv6 ports and not the ipv4
port. Same for a lot of other services. I can’t get to them.

httpd IPv6 TCP :80
httpd IPv6 TCP :443
squid IPV6 TCP :3128
httpd IPV6 TCP :5000
java IPv6 TCP :8140
squid IPv6 UDP :60000

are a few

Our services usually bind to *. Usually that’s implemented by binding to ::. There is a sysctl bindv6only to make :: IPv6-only, but that’s not the default. By default :: is binding to both IPv4 and IPv6. If you use bindv6only=1 you are on your own. There are advanced parameters to tune the exact binds, but IPv4-only is the opposite direction of where we are heading.

Well, my organization isn’t even talking about ipv6. So, that is quite a way off. How do I make them all bind to ipv4 instead of ipv6?

If you want to bind to IPv4, you’re on your own for that. We test our envs in setups where there is only IPv4 connectivity and that works while binding to ::. If the problem is you can’t connect, that may be a different matter. In that case you need to provide more context about what you’re doing and your environment.

You don’t. Any default (IPv6) bind accepts IPv4 and IPv6. That is not the problem.

What do you mean by

What I mean is that there is no ipv4 port 80 listening for httpd for example. So, I can’t reach the gui with a web browser. I’m going to re-kick and re-install with adding code to disable ipv6. Will see if that fixes it.

As I wrote before: A default bind accepts IPv4 and IPv6. That is not your problem. If it listens to :: it listens to any IP address, IPv4 and IPv6.

I have a web server which shows like this:

# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::80                   :::*                    LISTEN      971/httpd           
tcp6       0      0 :::443                  :::*                    LISTEN      971/httpd           

I can connect port 80 and port 443 on any IP address, IPv4 and IPv6.

That’s the problem. However, without more details it’s difficult to tell what goes wrong.

I’m going to blame firewalld. That is normally disabled. So, I did not even think to look there. I re-kicked and added code to disable ipv6. I could see the ports up and listening, but still could not connect. So, I tried systemclt is-enabled firewalld and got back enabled. So, I ran some commands to enable satellite and ntp through firewalld and re-checked the connection. It is now connecting.

Thanks everyone for your help! I appreciate it. :slight_smile:

1 Like

I love this tool, the moment I started using firewalld I almost forgot how ugly iptables is and with few exception, I never had to write an iptable rule anymore. For regular servers, you usually only need to assign interfaces into zones, add few services or ports and that’s all. :slight_smile: