We help IT Professionals succeed at work.

How to enable IP forwarding?

Medium Priority
Last Modified: 2013-12-06
I want to enable IP forwarding in a Linux box with Red Hat ES 3.0. I know that we can do it using IPTABLES, but I have no idea as to how to do it. Can anybody help me with the procedure to add IP forwarding so that if anybody sends a request to the IP, it gets
automatically forwarded to another IP which is on a different network?

Awaiting a fast response.


Nitesh N
Watch Question


First of all, enable IP forwarding between interfaces. The clean and elegant way to do it is editing /etc/sysctl.conf and adding/modiying the line:


and running sysctl -p

Quick and dirty way is:

echo 1 > /proc/sys/net/ipv4/ip_forward

That should do it if you want routing between 2 different interfaces, say eth0 and eth1.

Now let's consider eth0 as an interface on net0 and eth1 on net1.

As far as I understood, you want to forward traffic to an IP address on net0 to a network reachable through net1. For doing that you must enable "Proxy ARP" on the interface where you want to route _from_.

Issue the following command:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

And/or edit the sysctl.conf file and add:


Now, route the "fake" address on net0 to the destination interface where the "actual" IP address can be reached.

route add -host <fake_IP_address> dev eth1

being eth1 the interface where the actual IP is.

Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

* source: source IP
* dest: fake IP
* source source IP
* dest: fake IP

And the ping will fail due to the fake IP does not exist, but you've managed to force routing between interfaces. Here is where iptables comes in.

iptables NAT capabilities will translate fake IP to actual IP.

First of all, make these concepts crystal clear:

* PREROUTING chain: translations applied BEFORE routing decission, so DESTINATION ADDRESSES will be translated
* POSTROUTNG chain: translations applied AFTER router decission, so SOURCE ADDRESSES will be translated.
* And the most important of all: "Traffic has 2 directions, outgoing and incomming"

So, when you request "fake address", you have to translate the destination address of the fake IP:

iptables -t nat -A PREROUTING -i eth0 -d <fake ip address> -j DNAT --todest <actual IP address>

And you'll have the "actual IP" responds, you'll have to translate the SOURCE address of the response to the "fake" one:

iptables -t nat -A POSTROUTING -o eth0 -s <actual ip address> -j SNAT --to-source <fake IP address>

Of course you'll have to arrange the iptables commands to your iptables rules and chains, but it should do it. And don't forget to issue a 'service iptables save' to save the iptables settings between reboots.

Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

eth0 (ping-request):
* source: source IP
* dest: fake IP
eth1 (ping-request):
* source: source IP
* dest: actual IP

eth1 (ping-reply):
* source: actual IP
* dest: ping-request originator
eth0 (ping-reply):
* source: fake IP
* dest: ping-request originator

Hope it helps and good luck,


Hello Javier,
                    Thanks for all the information. It was quick and a good one. However, here I have two Ip addresses in different VLANs with each VLAN assigned a particular block of IP addresses. How can I then use IPTables for forwarding IP from 1st VLAN to the IP address in the second VLAN?


Nitesh N
OK, VLAN treatment is quite similar but there are pitfalls.

proxy arp activation though sysctl does not work (maybe yes on ES3.0, I don't have one but Fedora which is quite similar)

You must do it through rc.local (/etc/rc.local) as if you were using command line

echo 1 > /proc/sys/net/ipv4/conf/eth0.701/proxy_arp (being eth0.701 a VID 701 interface on eth0)

Same goes for routing (I didn't manage to do it thurough ifcfg-eth0.xxx). In my rc.local:

/sbin/route add -host dev eth0.701

About iptables and VLAN, they're differ only in interface name from my previous example. Given eth0.701 and eth0.702 as VLAN interface in the SAME PHYSICAL interface:

iptables -t nat -A PREROUTING -i eth0.701 -d <fake ip address> -j DNAT --todest <actual IP address>

PREROUTING accepts ONLY the -i (interface from where the traffic comes in). The -o (outgoing interface) switch doesn't make sense because the routing decission hasn't been done yet (you don't know the destination interface until you make the routing decission)

iptables -t nat -A POSTROUTING -o eth0.701 -s <actual ip address> -j SNAT --to-source <fake IP address>

POSTROUTING accepts ONLY the -o (interface to where the traffic will be sent).

If you want, post the particular scenario you want to setup.

* If one of your physical interfaces is hosting multiple vlan interfaces (as in the above example) you're network admin (you? ;) must configure the switch port as trunking interface.

If Cisco (as I remember):

#conf t
(conf)# interface <your interface>
(conf-if)# switchport mode trunk

other commands may apply, but it should do it.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.