轉載自https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding
Q:
I have seen on many blogs, using this command to enable IP forwarding while using many network security/sniffing tools on linux
echo 1 > /proc/sys/net/ipv4/ip_forward
Can anyone explain me in layman terms, what essentially does this command do? Does it turn your system into router?
A:
"IP forwarding" is a synonym for "routing." It is called "kernel IP forwarding" because it is a feature of the Linux kernel.
A router has multiple network interfaces. If traffic comes in on one interface that matches a subnet of another network interface, a router then forwards that traffic to the other network interface.
So, let's say you have two NICs, one (NIC 1) is at address 192.168.2.1/24, and the other (NIC 2) is 192.168.3.1/24. If forwarding is enabled, and a packet comes in on NIC 1 with a "destination address" of 192.168.3.8, the router will resend that packet out of the NIC 2.
It's common for routers functioning as gateways to the Internet to have a default route whereby any traffic that doesn't match any NICs will go through the default route's NIC. So in the above example, if you have an internet connection on NIC 2, you'd set NIC 2 as your default route and then any traffic coming in from NIC 1 that isn't destined for something on 192.168.2.0/24 will go through NIC 2. Hopefully there's other routers past NIC 2 that can further route it (in the case of the Internet, the next hop would be your ISP's router, and then their providers upstream router, etc.)
Enabling ip_forward tells your Linux system to do this. For it to be meaningful, you need two network interfaces (any 2 or more of wired NIC cards, Wifi cards or chipsets, PPP links over a 56k modem or serial, etc.).
When doing routing, security is important and that's where Linux's packet filter, iptables, gets involved. So you will need an iptables configuration consistent with your needs.
Note that enabling forwarding with iptables disabled and/or without taking firewalling and security into account could leave you open to vulnerabilites if one of the NICs is facing the Internet or a subnet you don't have control over.
Right, you'll want to do NAT if NIC 2 is a private IP. Linux can do NAT as well and iptables is the way to set it up. – LawrenceC Jul 13 '14 at 23:22
Does it need a NAT for data going from NIC 2 to NIC 1? – GutenYe Jul 14 '14 at 0:12
Typically NAT will work from the LAN to the WAN, so if NIC 2 has a private IP, and NIC 1 has a public 1, you do need NAT; specifically, the internet-facing interface (NIC 1 per above) needs a MASQUERADE rule in iptables's POSTROUTING on a chain to do that. See revsys.com/writings/quicktips/nat.html and i.stack.imgur.com/rzz83.png. – LawrenceC Jul 16 '14 at 11:14
In simple words, will it be right if I say that enabling IP forwarding means enabling the machine to pass a packet from one of its NIC to another of its NIC? Also, would it be true if I say enabling IP forwarding is not really required on a machine with a single IP/NIC ? – Sree Nov 21 '14 at 6:37
@Sree: Yes, but it won't do NAT - you need iptables for that. If you don't want to route/forward packets, don't enable forwarding. It's unlikely a single IP/NIC system needs it enabled unless you are doing something weird with VPNs. – LawrenceC Nov 21 '14 at 13:45
@ultrasawblade In the case of IP forwarding enabled and having internet connection on NIC 2 and also as the default route, if it receives a packet destined for 192.168.2.2 from NIC 1, what will the router do? – bobo May 14 '15 at 5:30
Your NIC can actually receive all traffic on the subnet by design - if you have it connected to a hub, not a switch. It won't forward it out of the default gateway since it has a direct connection to that network 192.168.2.0/24 already. So I believe it will drop it. – LawrenceC