IP forwarding in Linux is a feature that allows a system to route packets between network interfaces, effectively functioning as a router. While this capability is essential for specific network setups, it poses security risks if enabled unnecessarily. Disabling IP forwarding is a critical step in server hardening, particularly for systems not intended to perform routing tasks.
In this guide, we’ll explore what IP forwarding is in Linux, why it’s important to disable it on non-routing systems, and how to automate the process to comply with CIS Benchmarks.
What is IP forwarding in Linux?
IP forwarding is a kernel-level feature in Linux that determines whether the operating system forwards packets from one network interface to another. When enabled, the server processes and forwards incoming packets to their destinations, acting as a router.
- Use Cases: IP forwarding is typically enabled on systems configured as gateways, VPN servers, or routers.
- Risks: On systems not meant to forward packets, enabling this feature can:
- Increase the attack surface.
- Lead to potential misuse of the server as an intermediary in attacks.
- Violate security benchmarks like the CIS controls.
For systems deployed in server-only roles (e.g., web servers, database servers), it’s a best practice to disable this feature.
Why Should You Disable IP Forwarding?
Disabling IP forwarding provides the following benefits:
- Enhanced Security: Prevents unauthorized traffic routing, reducing the risk of man-in-the-middle attacks.
- CIS Compliance: The CIS Benchmarks for Linux systems explicitly recommend disabling IP forwarding unless explicitly required.
- System Hardening: Aligns with industry best practices for minimizing the attack surface.
Steps to Disable IP Forwarding in Linux
- Check the Current Status of IP Forwarding
To check whether IP forwarding is enabled for IPv4 and IPv6, run:
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding
- A value of 1 indicates that IP forwarding is enabled.
- A value of 0 indicates that IP forwarding is disabled.
- Disable IP Forwarding Temporarily
To immediately disable IP forwarding without rebooting, use the following commands:
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv6.conf.all.forwarding=0
However, this change is temporary and will revert after a reboot.
- Disable IP Forwarding Permanently
To make the changes permanent:
- Edit the /etc/sysctl.conf file:
- For IPv4:
ipv4.ip_forward = 0
For IPv6:
net.ipv6.conf.all.forwarding = 0
- Apply the changes:
sysctl -p
These settings will persist across reboots, ensuring IP forwarding remains disabled.
In some Linux distributions the config file location may vary. So, consider executing the following commands in such scenarios.
For IPv4
grep -Els “^s*net.ipv4.ip_forwards*=s*1” /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri “s/^s*(net.ipv4.ip_forwards*)(=)(s*S+b).*$/# *REMOVED* 1/” $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1
For IPv6
grep -Els “^s*net.ipv6.conf.all.forwardings*=s*1” /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri “s/^s*(net.ipv6.conf.all.forwardings*)(=)(s*S+b).*$/# *REMOVED* 1/” $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1
These commands checks all the possible locations for the config file and then make sure that wherever it is found the changes will be written in it.
Testing and Validation
After disabling IP forwarding, validate the configuration:
- Verify Settings: Run the sysctl commands again to ensure both ipv4.ip_forward and net.ipv6.conf.all.forwarding are set to 0.
- Reboot and Recheck: Confirm the changes persist after a reboot.
Adhering to CIS Benchmark Configurations
Disabling IP forwarding in Linux is a fundamental step in hardening your servers against unauthorized traffic routing. By adhering to CIS benchmarks and automating this configuration, you can ensure that your systems are secure, compliant, and dedicated to their intended roles.
For more tips on Linux server hardening and automated compliance strategies, keep following our blog. Security starts with small yet significant changes—disable IP forwarding today to protect your servers tomorrow.
