I would like to block outgoing IPv6 connections for specific users on linux machine. I don't want to disable IPv6 for whole system. How can I do it? I can do it using ip6tables and rejecting OUTPUT connections with icmp6-adm-prohibited or icmp6-no-route or icmp6-addr-unreachable but that for some reason causes delays of about 1s with every connection made (IPv4 is tried only after waiting for 1s). If multiple connections are made this delay really stacks.
I don't think that is easily achievable
Any client that makes a network connection first issues a DNS request to get the addresses of the destination server.
Most application uses system
libc
library to make the connection. When the library sees system has both IPv4 and IPv6 addresses configured, it requests both A and AAAA records for the domain name.If the destination domain has an IPv6 address, the application tries to first connect using IPv6, and then falls back to IPv4 for if IPv6 fails.
This fallback delay is what you are noticing.
You would need to have a custom
libc
, that would resolve only A records for certain users and A+AAAA records for other users.