Linux IP Forwarding: Complete Setup Guide

Updated on Jul 3, 2026 by Sue Dunham

Linux IP forwarding is essential for many advanced networking tasks, but enabling it without the right configuration can create unintended security and connectivity issues. Whether you’re setting up a router, gateway, VPN, or another network service in Linux, it’s important to know when to enable IP forwarding, how to configure it, and when to disable it.

This guide shows you how to check whether Linux IP forwarding is on and how to enable it temporarily or permanently. You’ll also learn how to troubleshoot common issues and turn it off when you’re done.

What Is IP Forwarding in Linux?

Linux IP forwarding is a kernel-level feature1 that lets the system forward IP packets between network interfaces, essentially turning your Linux machine into a router. It’s turned off by default, so a Linux machine only handles packets meant for its own IP address and drops any packets addressed to a different interface. When you enable it, the system checks the destination IP against its routing table and forwards each packet to the right network interface.

How to Enable IP Forwarding on Linux

The steps below show how to check whether you’ve enabled IP forwarding and how to turn it on. You have two ways to do this. A temporary change applies right away but resets after a reboot, while a permanent change survives restarts.

Check If IP Forwarding Is Enabled

First, check whether IP forwarding is already on:

  1. Open the Terminal (press Ctrl+Alt+T).
  1. To check whether IPv4 forwarding is set up, run echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward and press Enter
  1. For IPv6, type echo 1 | sudo tee /proc/sys/net/ipv6/conf/all/forwarding and press Enter.
Screenshot showing the terminal in Ubuntu Linux with the IPv6 forwarding check command entered

In both cases, a value of 1 in the command output means that IP forwarding is on, and 0 means it’s disabled.

Enable IP Forwarding Temporarily

  1. Open the Terminal.
  1. For IPv4, type sudo sysctl -w net.ipv4.ip_forward=1, press Enter, and enter your password if prompted. (Don’t worry if nothing appears on the screen when you’re typing your password – this is to stop anyone from reading your password over your shoulder.)
  1. For IPv6, type sudo sysctl -w net.ipv6.conf.all.forwarding=1, press Enter, and enter your password if prompted.

On setups without systemd or sysctl, you can enable forwarding through the kernel command line instead. Add net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1 to /etc/default/grub, then rebuild the bootloader with sudo update-grub.

To confirm it worked, run the check command from above and make sure the values now show 1. 

Enable IP Forwarding Permanently

  1. Open the Terminal, run sudo nano /etc/sysctl.conf, and enter your password if prompted.
  1. Scroll through the sysctl.conf file and find the net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1 lines.
Screenshot showing the terminal in Ubuntu Linux with IPv4 and IPv6 forwarding options in the sysctl.conf file commented out
  1. Uncomment net.ipv4.ip_forward = 1 to enable IPv4 forwarding and net.ipv6.conf.all.forwarding = 1 to enable IPv6 forwarding. You can do so by removing the # sign at the start of each line.
Screenshot showing the terminal in Ubuntu Linux with IPv4 and IPv6 forwarding options in the sysctl.conf file enabled
  1. Press Ctrl + O to write to the file, then press Enter when you see the File name to write: /etc/sysctl.conf prompt.
Screenshot showing the terminal in Ubuntu Linux with the prompt confirming to write to the sysctl.conf file
  1. Press Ctrl + X to return to the terminal once you see a Wrote [X] lines prompt.
Screenshot showing the terminal in Ubuntu Linux with the text editor confirming that the sysctl.conf file has been updated
  1. Run sudo sysctl -p to apply the changes. 
Screenshot showing the terminal in Ubuntu Linux with the command to apply the changes made to the sysctl.conf file

How to Disable IP Forwarding on Linux

Disabling Linux IP forwarding follows the same process as enabling it, just with the values reversed. If you enabled it temporarily, set the value to 0 in the sysctl -w command. If you enabled it permanently, comment out the net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1 lines in the sysctl.conf file by adding # to the start of each line.

Troubleshooting Linux IP Forwarding

Most Linux IP forwarding problems come down to settings that don’t survive a reboot, traffic that won’t route even though you enabled forwarding, or a sysctl service that isn’t running. The steps below help you diagnose and fix each one.

Change Not Persisting After Reboot

If you have to re-enable Linux IP forwarding after every reboot, you’re probably setting it temporarily with the sysctl -w command, which only lasts until the next restart. Follow the steps to permanently enable IP forwarding to resolve the problem. It writes the setting into the sysctl.conf file, and the system reads that file on every boot, so the change sticks.

Traffic Still Not Forwarding Despite Enabling the Setting

If you enabled IP forwarding but traffic still isn’t routing, the problem could be the FORWARD chain in iptables, which filters packets that don’t originate from the host machine and aren’t addressed to it. These steps will help:

  1. Open the Terminal, run sudo iptables -L FORWARD -v -n, and enter your password if prompted. This shows the FORWARD chain policy.
  1. Check the policy. If it’s set to DROP and no rules allow your forwarded traffic, the FORWARD chain is blocking it, so continue with the steps below. If it says ACCEPT, the FORWARD chain isn’t the cause and the problem likely lies elsewhere. Check that you’ve applied the forward settings or if another firewall rule is blocking the traffic.
Screenshot showing the terminal in Ubuntu Linux with the iptables forwarding policy set to DROP
  1. Run ip a to find the names of the two interfaces you want to forward between. Then add rules allowing forwarding in that direction, with return traffic limited to established connections. Replace eth1 and eth0 in the commands below with your own interface names:
    sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  1. Run sudo iptables -L FORWARD -v -n again to confirm your new rules now appear in the FORWARD chain. The default policy will still show DROP. The rules you added are what permit your specific traffic.
Screenshot showing the terminal in Ubuntu Linux with the iptables forwarding policy set to ACCEPT

Adding rules for only the interfaces you need is safer than setting the whole FORWARD policy to ACCEPT, which would let all forwarded traffic through. That’s worth avoiding on a production or internet-facing machine.

Sysctl Service Not Running

If neither of the steps above works, Linux may not be applying your settings. These steps will reapply them.

  1. Open the Terminal.
  1. Run sudo sysctl --system and enter your password if prompted. This reloads your saved sysctl values from their config files without a reboot.
  1. Confirm forwarding is now on by running cat /proc/sys/net/ipv4/ip_forward. A value of 1 means it’s enabled, and 0 means it’s still off.
  2. If your system doesn’t use systemd or sysctl (e.g., WSL), set the value with echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward.

When Should You Use IP Forwarding on Linux?

You’ll use Linux IP forwarding whenever your machine needs to pass traffic between two or more networks on behalf of other devices. Here are the main cases. 

VPN Servers

Running a VPN server requires IP forwarding. The server receives encrypted packets on the VPN tunnel interface and forwards them to the destination network through another interface. Without forwarding, the server drops those packets as they arrive.

There’s an important difference between running a server and using a VPN as a client. If you’re connecting to a VPN on your Linux device with a client app like PIA, you don’t need IP forwarding, since your machine isn’t routing traffic for anyone else. It’s also worth noting that IP forwarding and VPN port forwarding aren’t the same thing. They sound similar but do different jobs.

Router or Network Gateway

If your Linux machine sits between multiple networks and passes traffic between them, it’s effectively acting as a router. It needs IP forwarding enabled so it routes those packets instead of dropping them on arrival.

Container Networking

Containerization uses platforms like Docker to package an application with everything it needs to run. Containers sometimes need to communicate with one another, and they do that over a bridge network, which relies on IP forwarding to work2.

NAT and Internet Sharing

To let several devices on a private network share one internet connection, your Linux system uses IP forwarding to act as a network address translation (NAT) device. It translates the private addresses to a single public-facing IP and forwards the packets accordingly.

Linux IP Forwarding Risks

Linux IP forwarding expands what your system can do on the network, but it also creates exposure if you don’t manage it carefully. The main risks include:

  • Internal exposure: A misconfiguration can turn your Linux machine into an unintended bridge, passing traffic between your private network and the public internet. This can allow outsiders to reach systems meant to stay internal, such as private servers or admin tools. Only enable forwarding when needed and ensure it’s backed by firewall rules.
  • Distributed Denial of Service (DDoS): Forwarding can make your device a target for DDoS attacks. If your machine is acting as a router or gateway, taking it down can knock every connected device offline. SYN floods and smurf attacks are two common examples of attacks. A well-configured firewall or tools that limit incoming traffic can help fend them off.

FAQ

What is IP forwarding in Linux?

Linux IP forwarding is a kernel feature that allows a Linux system to route packets between network interfaces, even when the machine itself isn’t the destination. This lets it act as a router, VPN server, NAT gateway, or a Docker bridge network.

How do I enable IP forwarding on Linux?

You can enable IP forwarding temporarily by running echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward (for IPv4) or echo 1 | sudo tee /proc/sys/net/ipv6/conf/all/forwarding (for IPv6) commands in the terminal. To make it permanent, you need to edit the sysctl.conf file.

How do I enable IP forwarding on Ubuntu?

You can temporarily enable IP forwarding on Ubuntu and other similar Linux distributions by running sudo sysctl -w net.ipv4.ip_forward=1 (for IPv4) or sudo sysctl -w net.ipv6.conf.all.forwarding=1 (for IPv6). To make it permanent, uncomment the lines containing these commands in the sysctl.conf file.

When should I use IP forwarding on a Linux server?

You should use IP forwarding on Linux whenever your server needs to route traffic for other devices, such as when it acts as a VPN server, network gateway, or NAT device.

Can I use IP forwarding with a VPN setup for routing traffic?

Yes. You’ll need to enable Linux IP forwarding when setting up a Linux machine as a VPN server. Mainstream protocols like WireGuard and OpenVPN rely on the host to forward packets between the VPN tunnel interface and external networks.

References

  1. IP Sysctl – Kernel.org
  2. Packet filtering and firewalls – Docker