IP forwarding should be enabled when you want the system to act as a router, that is transfer IP packets from one network to another.

In the simplest case, consider a server with two physical ethernet ports which is meant to connect to two different networks (say your internal network and the outside world as provided by a DSL modem). If you just connect and configure those two interfaces, the system can communicate on either network. However, packets from one network cannot travel to the other network, because forwarding is not enabled.

Consider the specific example of ‘route add’. If you have two network interfaces, you will add a minimum of two routes, one for each interface. When the kernel considers where to send a network packet, it will pick the most specific applicable route and then send it along to that interface.

However, if forwarding is turned off, the kernel will first check to see which interface the packet came from. If it didn’t come from the same interface, the kernel will discard it.

EDIT: First note that you can use a router without having two physical network interfaces. For example if you are using VLANs, your server can transfer IP packets between vlans but only have one physical network interface. This is called a one-armed router. However for the simplest case yes you can say that if you only have one physical network interface then you don’t need to enable IP forwarding.

IP forwarding involves transferring packets between network interfaces (real or virtual) so I think that if you had two interfaces on the same network, you would have to enable ip forwarding to allow packets to move between the interfaces. However since the interfaces are already on the same network, it doesn’t seem to make a lot of sense to transfer packets between them.

Leave a Reply

Your email address will not be published. Required fields are marked *