====== Networking - IP Forwarding ======

IP forwarding is also known as routing.

If the Linux server is acting as a firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other destinations (other than itself).

  * IP forwarding should usually be turned off if one of the aforementioned configurations is not being used.
  * This prevents wasting bandwidth or resources to forward packets elsewhere, if not needed.

Linux uses the **net.ipv4.ip_forward** kernel variable to toggle this setting on or off.

----

===== Check if IP forwarding is enabled or disabled, using sysctl =====

<code bash>
sysctl net.ipv4.ip_forward
</code>

returns:

<code>
net.ipv4.ip_forward = 0
</code>

<WRAP info>
**NOTE:**  This shows the net.ipv4.ip_forward kernel setting is 0, which means it is off.

  * If it were set to 1, that would mean it is enabled.

</WRAP>

----

===== Alternatively, check if IP forwarding is enabled or disabled, using proc =====

<code bash>
cat /proc/sys/net/ipv4/ip_forward
</code>

returns:

<code>
0
</code>

----

===== Enable or disable IP forwarding =====

==== Using sysctl ====

<code bash>
sysctl -w net.ipv4.ip_forward=0

or

sysctl -w net.ipv4.ip_forward=1
</code>

<WRAP important>
**WARNING:**  This will not make the change persistent.
</WRAP>

----

==== Alternatively, using proc ====

Change the setting inside **/proc/sys/net/ipv4/ip_forward** to turn the setting on or off.

<code bash>
echo 0 > /proc/sys/net/ipv4/ip_forward

or

echo 1 > /proc/sys/net/ipv4/ip_forward
</code>

<WRAP important>
**WARNING:**  This will not make the change persistent.
</WRAP>

----

==== Ensure persistency ====

To make sure the new setting survives a reboot, edit the **/etc/sysctl.conf** file.

Add one of the following lines to the bottom of the file, depending on whether to have IP forwarding on or off.

<file bash /etc/sysctl.conf>
net.ipv4.ip_forward = 0

or 

net.ipv4.ip_forward = 1
</file>

Then, save your changes to this file.

<WRAP info>
**NOTE:** The setting will be permanent across reboots.
</WRAP>

----


==== Make the changes take effect right away ====

<code bash>
sysctl -p
</code>

----

===== Troubleshooting =====

Check the status of sysctl with this command:

<code bash>
systemctl status sysctl
</code>

----

The service should say that it is active. If not, start the service with this command:

<code bash>
sudo systemctl start sysctl
</code>


On non-systemd Linux installs, checking the status of sysctl will be different. Try:

<code bash>
rc-service sysctl status
</code>

----

If IP forwarding is successfully enabled (verified by checking the kernel variable after reboot), but traffic is still not being received on destination systems, check the FORWARD rules of iptables.

<code bash>
iptables -L -v -n
</code>

returns:

<code>
...       
Chain FORWARD (policy ACCEPT 667 packets, 16724 bytes)
 pkts bytes target     prot opt in     out     source               destination
</code>

<WRAP info>
**NOTE:**  The FORWARD chain should either be set to ACCEPT, or have rules listed that allow certain connections.

  * Check if traffic is reaching the FORWARD chain of iptables by checking the amount of packets and bytes that have hit the chain.
  * If none, then there may be some higher rules in the chain that are blocking traffic.

</WRAP>


----

===== TAGS =====

  * TAG:  Firewall
  * TAG:  Networking
  * TAG:  Router
  * TAG:  Routing
  * TAG:  Security
  * TAG:  Server

----