It may be necessary to configure Linux IP forwarding on a Linux system in certain scenarios. If the Linux server is acting as a firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other destinations (other than itself). Linux uses the net.ipv4.ip_forward kernel variable to toggle this setting on or off.
Conversely, IP forwarding should usually be turned off if you’re not using one of the aforementioned configurations. You typically don’t want your system wasting bandwidth or resources to forward packets elsewhere, unless it’s been designed to do that job.
In this tutorial, we’ll go through the step by step instructions to enable or disable IP forwarding through command line examples. You can apply these commands to any major Linux distro, including popular choices like Ubuntu and Red Hat. You will see how to edit the net.ipv4.ip_forward parameter, which controls whether IP forwarding is on or off for IPv4.
In this tutorial you will learn:
- How to check the current IP forwarding status
- How to enable or disable IP forwarding
- Common troubleshooting steps for IP forwarding
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux distro|
|Other||Privileged access to your Linux system as root or via the
|Conventions||# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
Check current IP forwarding status
Most systems will be able to use the
sysctlcommand, which can apply kernel variables. Therefore, you can use the following
sysctlcommand to check whether IP forwarding is enabled or disabled.
# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0
In the example above, the
net.ipv4.ip_forward kernel setting is 0. That means it’s off. If it were set to 1, that would mean it’s enabled.
This setting can also be viewed inside the
/proc/sys/net/ipv4/ip_forward file on systems with systemd or any other init system.
# cat /proc/sys/net/ipv4/ip_forward 0
IP forwarding is also known as routing. When it comes to Linux, it may also be called Kernel IP forwarding because it uses the kernel variable net.ipv4.ip_forward to enable or disable the IP forwarding feature. The default preset value is ip_forward=0. Hence, the Linux IP forwarding feature is disabled by default.
Enable or disable IP forwarding
You can use the following
sysctl command to enable or disable Linux IP forwarding on your system.
# sysctl -w net.ipv4.ip_forward=0 OR # sysctl -w net.ipv4.ip_forward=1
You can also change the setting inside
/proc/sys/net/ipv4/ip_forward to turn the setting on or off.
# echo 0 > /proc/sys/net/ipv4/ip_forward OR # echo 1 > /proc/sys/net/ipv4/ip_forward
Using either method above will not make the change persistent. To make sure the new setting survives a reboot, you need to edit the
# sudo nano /etc/sysctl.conf
Add one of the following lines to the bottom of the file, depending on whether you’d like Linux IP forwarding to be off or on, respectively. Then, save your changes to this file. The setting will be permanent across reboots. The net.ipv4.ip_forward setting controls whether IP forwarding is turned on or off for IPv4.
net.ipv4.ip_forward = 0 OR net.ipv4.ip_forward = 1
After editing the file, you can run the following command to make the changes take effect right away.
# sysctl -p
Note that the
sysctl command if the service isn’t currently running. Check the status of
sysctl with this command.
$ systemctl status sysctl
The service should say that it’s active. If not, start the service with this command:
$ sudo systemctl start sysctl
On non-systemd Linux installs, checking the status of sysctl will be different. For example, OpenRC uses this command:
# rc-service sysctl status
If you have successfully enabled the Linux IP forwarding (verified by checking the kernel variable after reboot), but you’re still not receiving traffic on destination systems, check the FORWARD rules of iptables.
# iptables -L -v -n ... Chain FORWARD (policy ACCEPT 667 packets, 16724 bytes) pkts bytes target prot opt in out source destination
Your FORWARD chain should either be set to ACCEPT, or have rules listed that allow certain connections. You can see if traffic is reaching the FORWARD chain of iptables by checking the amount of packets and bytes that have hit the chain. If there aren’t any, then you may have some higher rules in your chain that are blocking traffic.
In this tutorial, we saw how to enable or disable IP forwarding in Linux systems by editing the kernel variable. The methods here covered systems that use systemd or some other init system. We also learned how to make the changes persistent, and common troubleshooting steps in case IP forwarding still isn’t working after the change.
Remember that systems not intended to forward networking traffic should always have this setting off. It can protect them from being used to mask traffic, or wasting important bandwidth and resources to process and forward incoming traffic to other destinations.