Unexpected IPv6 Behavior on Linux
Linux has some strange default IPv6 behavior. Here are a few things I noticed…
You can bind to a port on an IPv4 address while all of your tools will report that the port is on IPv6. For example, if your host is 198.51.100.1, you can bind to ::FFFF:198.51.100.1 and all state-checking tools like netstat, ss or lsof will report the listener as on an IPv6-port. You can do this in netcat with
nc -6 -l ::FFFF:18.104.22.168.
Linux appears not to have the concept of default IPv6 rules with default ACCEPT everything. Instead, running ip6tables-save will simply return a blank output without an error code. In a small deployment you can catch this, but in a mass deployment scenario it could become a dangerous gotcha.
By default, binding to all IPv6 addresses will also bind to all IPv4-addresses. This can be changed by setting the sysctl
net.ipv6.bindv6only to 1. This seems like a very poor default.