Aug 1 st. 2006 | Comments
By default any modern Linux distributions will have IP Forwarding disabled. This is normally a good idea, as most peoples will not need IP Forwarding, but if we are setting up a Linux router/gateway or maybe a VPN server (pptp or ipsec) or just a plain dial-in server then we will need to enable forwarding. This can be done in several ways that I will present bellow.
Check if IP Forwarding is enabled
We have to query the sysctl kernel value net.ipv4.ip_forward to see if forwarding is enabled or not: Using sysctl :
or just checking out the value in the /proc system:
Enable IP Forwarding on the fly
As with any sysctl kernel parameters we can change the value of net.ipv4.ip_forward on the fly (without rebooting the system):
the setting is changed instantly; the result will not be preserved after rebooting the system.
Permanent setting using /etc/sysctl.conf
If we want to make this configuration permanent the best way to do it is using the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1
if you already have an entry net.ipv4.ip_forward
with the value 0 you can change that 1.
To enable the changes made in sysctl.conf you will need to run the command:
On RedHat based systems this is also enabled when restarting the network service:
and on Debian/Ubuntu systems this can be also done restarting the procps service:
Using distribution specific init scripts
Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions. For example Debian based distributions might use the setting:
set it to yes and restart the network service. Also RedHat distributions might set this using:
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
ps. I was setting up a VPN dial-in server when I wrote this post ;–).