IPv6 Administration

IPv6 is no longer optional — cloud providers, mobile networks, and many enterprises have deployed it, and Ubuntu enables it by default. If your server has an IPv6 address (even a link-local one), your firewall rules and service bindings need to account for it. Many security incidents involve IPv6 traffic bypassing IPv4-only firewall rules. Understanding IPv6 addressing and configuration on Ubuntu is now a required sysadmin skill.

IPv6 address types

IPv6 address: 2001:0db8:0000:0000:0000:0000:0000:0001
Compressed:   2001:db8::1    (consecutive zeros = ::, only once per address)

Types:
  fe80::/10   Link-local    Auto-assigned, used for local segment comms
              Every interface gets one automatically
              NOT routable beyond the local link

  fc00::/7    Unique local  RFC 4193 private addresses (like RFC 1918 for IPv4)
              fd00::/8 is commonly used for private networks

  2000::/3    Global unicast   Publicly routable (like public IPv4)
              Your ISP/cloud provider assigns these

  ::1         Loopback      Equivalent to 127.0.0.1

# Show all IPv6 addresses on the system
ip -6 addr show

# You'll always see link-local (fe80::) on active interfaces
# This is normal and auto-configured

Configuring IPv6 in Netplan

# Static IPv6 address
network:
  version: 2
  ethernets:
    ens3:
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.1.10/24          # IPv4
        - 2001:db8:1::10/64        # IPv6 static
      routes:
        - to: default
          via: 192.168.1.1
        - to: "::/0"               # IPv6 default route
          via: "2001:db8:1::1"
      nameservers:
        addresses: [8.8.8.8, 2001:4860:4860::8888]   # IPv4 + IPv6 DNS

# SLAAC (Stateless Address Autoconfiguration) — auto-configure IPv6 from router
network:
  version: 2
  ethernets:
    ens3:
      dhcp4: true
      dhcp6: true    # Request IPv6 via DHCPv6
      accept-ra: true  # Accept Router Advertisements for SLAAC

Running dual stack

# Check that both IPv4 and IPv6 are working
ping -c 3 8.8.8.8              # IPv4
ping6 -c 3 2001:4860:4860::8888  # IPv6
ping6 -c 3 google.com           # Tests IPv6 DNS resolution

# Check which version a connection uses
curl -6 https://ipv6.google.com    # Force IPv6
curl -4 https://google.com         # Force IPv4

# See dual-stack listening services (services bind to both IPv4 and IPv6)
ss -tlnp6    # IPv6 sockets only

IPv6 firewall rules

⚠️ WARNING: iptables rules only apply to IPv4 traffic. IPv6 has a separate firewall: ip6tables (or ufw handles both). If you only configure IPv4 firewall rules, IPv6 traffic bypasses them completely. Always configure both, or use UFW which manages both automatically.

# UFW handles both IPv4 and IPv6 automatically
sudo ufw enable
sudo ufw allow 22/tcp      # Applies to both IPv4 and IPv6 automatically
sudo ufw status verbose

# Verify UFW is managing IPv6 (check IPV6=yes in /etc/default/ufw)
grep IPV6 /etc/default/ufw

# Manual ip6tables rule (if not using UFW)
sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo ip6tables -A INPUT -j DROP

# Check current ip6tables rules
sudo ip6tables -L -n -v

IPv6 troubleshooting

# Check IPv6 routing table
ip -6 route show

# Check neighbor discovery cache (IPv6 equivalent of ARP)
ip -6 neigh show

# Test path to IPv6 destination
traceroute6 google.com
mtr --ipv6 google.com

# If IPv6 is not working when it should be:
# 1. Check if interface has a global (non fe80) IPv6 address
ip -6 addr show ens3 | grep "scope global"

# 2. Check if default IPv6 route exists
ip -6 route show | grep default

# 3. Check if router advertisements are being received
sudo tcpdump -i ens3 -n icmp6 and 'ip6[40] == 134'  # RA messages

Conclusion

Every Ubuntu server automatically gets link-local IPv6 addresses (fe80::) on all active interfaces — this is normal. If your server has public IPv6 addresses, ensure your firewall rules cover both iptables (IPv4) and ip6tables (IPv6), or use UFW which manages both. For dual-stack servers, test both stacks explicitly. A server that appears to have no IPv6 connectivity but has link-local addresses likely just needs a default IPv6 route or Router Advertisement acceptance enabled.

FAQ

Is IPv6 Administration important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support