How to enable IP forwarding?

Posted on 2006-03-23
Last Modified: 2013-12-06
I want to enable IP forwarding in a Linux box with Red Hat ES 3.0. I know that we can do it using IPTABLES, but I have no idea as to how to do it. Can anybody help me with the procedure to add IP forwarding so that if anybody sends a request to the IP, it gets
automatically forwarded to another IP which is on a different network?

Awaiting a fast response.


Nitesh N
Question by:nitaish

    Expert Comment


    First of all, enable IP forwarding between interfaces. The clean and elegant way to do it is editing /etc/sysctl.conf and adding/modiying the line:


    and running sysctl -p

    Quick and dirty way is:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    That should do it if you want routing between 2 different interfaces, say eth0 and eth1.

    Now let's consider eth0 as an interface on net0 and eth1 on net1.

    As far as I understood, you want to forward traffic to an IP address on net0 to a network reachable through net1. For doing that you must enable "Proxy ARP" on the interface where you want to route _from_.

    Issue the following command:
    echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

    And/or edit the sysctl.conf file and add:


    Now, route the "fake" address on net0 to the destination interface where the "actual" IP address can be reached.

    route add -host <fake_IP_address> dev eth1

    being eth1 the interface where the actual IP is.

    Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

    * source: source IP
    * dest: fake IP
    * source source IP
    * dest: fake IP

    And the ping will fail due to the fake IP does not exist, but you've managed to force routing between interfaces. Here is where iptables comes in.

    iptables NAT capabilities will translate fake IP to actual IP.

    First of all, make these concepts crystal clear:

    * PREROUTING chain: translations applied BEFORE routing decission, so DESTINATION ADDRESSES will be translated
    * POSTROUTNG chain: translations applied AFTER router decission, so SOURCE ADDRESSES will be translated.
    * And the most important of all: "Traffic has 2 directions, outgoing and incomming"

    So, when you request "fake address", you have to translate the destination address of the fake IP:

    iptables -t nat -A PREROUTING -i eth0 -d <fake ip address> -j DNAT --todest <actual IP address>

    And you'll have the "actual IP" responds, you'll have to translate the SOURCE address of the response to the "fake" one:

    iptables -t nat -A POSTROUTING -o eth0 -s <actual ip address> -j SNAT --to-source <fake IP address>

    Of course you'll have to arrange the iptables commands to your iptables rules and chains, but it should do it. And don't forget to issue a 'service iptables save' to save the iptables settings between reboots.

    Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

    eth0 (ping-request):
    * source: source IP
    * dest: fake IP
    eth1 (ping-request):
    * source: source IP
    * dest: actual IP

    eth1 (ping-reply):
    * source: actual IP
    * dest: ping-request originator
    eth0 (ping-reply):
    * source: fake IP
    * dest: ping-request originator

    Hope it helps and good luck,
    LVL 1

    Author Comment

    Hello Javier,
                        Thanks for all the information. It was quick and a good one. However, here I have two Ip addresses in different VLANs with each VLAN assigned a particular block of IP addresses. How can I then use IPTables for forwarding IP from 1st VLAN to the IP address in the second VLAN?


    Nitesh N

    Accepted Solution

    OK, VLAN treatment is quite similar but there are pitfalls.

    proxy arp activation though sysctl does not work (maybe yes on ES3.0, I don't have one but Fedora which is quite similar)

    You must do it through rc.local (/etc/rc.local) as if you were using command line

    echo 1 > /proc/sys/net/ipv4/conf/eth0.701/proxy_arp (being eth0.701 a VID 701 interface on eth0)

    Same goes for routing (I didn't manage to do it thurough In my rc.local:

    /sbin/route add -host dev eth0.701

    About iptables and VLAN, they're differ only in interface name from my previous example. Given eth0.701 and eth0.702 as VLAN interface in the SAME PHYSICAL interface:

    iptables -t nat -A PREROUTING -i eth0.701 -d <fake ip address> -j DNAT --todest <actual IP address>

    PREROUTING accepts ONLY the -i (interface from where the traffic comes in). The -o (outgoing interface) switch doesn't make sense because the routing decission hasn't been done yet (you don't know the destination interface until you make the routing decission)

    iptables -t nat -A POSTROUTING -o eth0.701 -s <actual ip address> -j SNAT --to-source <fake IP address>

    POSTROUTING accepts ONLY the -o (interface to where the traffic will be sent).

    If you want, post the particular scenario you want to setup.

    * If one of your physical interfaces is hosting multiple vlan interfaces (as in the above example) you're network admin (you? ;) must configure the switch port as trunking interface.

    If Cisco (as I remember):

    #conf t
    (conf)# interface <your interface>
    (conf-if)# switchport mode trunk

    other commands may apply, but it should do it.

    Featured Post

    Free camera licenses with purchase of My Cloud NAS

    Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

    Join & Write a Comment

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now