Score:0

Disable outgoing IPv6 for specific users on linux

ru flag
ndd

I would like to block outgoing IPv6 connections for specific users on linux machine. I don't want to disable IPv6 for whole system. How can I do it? I can do it using ip6tables and rejecting OUTPUT connections with icmp6-adm-prohibited or icmp6-no-route or icmp6-addr-unreachable but that for some reason causes delays of about 1s with every connection made (IPv4 is tried only after waiting for 1s). If multiple connections are made this delay really stacks.

Score:0
us flag

I don't think that is easily achievable

Any client that makes a network connection first issues a DNS request to get the addresses of the destination server.

Most application uses system libc library to make the connection. When the library sees system has both IPv4 and IPv6 addresses configured, it requests both A and AAAA records for the domain name.

If the destination domain has an IPv6 address, the application tries to first connect using IPv6, and then falls back to IPv4 for if IPv6 fails.

This fallback delay is what you are noticing.

You would need to have a custom libc, that would resolve only A records for certain users and A+AAAA records for other users.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.