ipv4.ip_forward=0 not persisting in RHEL 7.3

Latest response

I've entered the following in sysctl.conf:

net.ipv4.ip_forward=0

and yet upon reboot, if I run:

/sbin/sysctl -a | grep net.ipv4.ip_forward

I am always returned a 1, unless I manually enter:

sysctl -p /etc/sysctl.conf

...which obviously doesn't survive a reboot.

I've also checked for this entry in conf files at the following locations:

/usr/lib/sysctl.d
/run/sysctl.d
/etc/sysctl.d

...and even tried entering the same rule into the conf files at these locations, if they exist.

I'm not sure what else to do at this point. Am I missing something...? This is driving me nuts.

Responses

So net.ipv4.ip_forward is set to 0 by default in the kernel so it should be disabled without needing to explicitly set it in /etc/sysctl.conf.

I think either one of two things is happening:

  • There's a rogue net.ipv4.ip_forward rule that sysctl is reading from somewhere. You mentioned you couldn't find the rule in the main config directories (/etc/sysctl.d is where I would have looked first) so I'm stumped as to where else it could be.
  • There could be something pushing 1 to /proc/sys/net/ipv4/ip_forward during boot. It might be a service that starts up or a script that runs during boot.

Anything special about this RHEL 7.3 system? What are you using it for? Any non-default packages installed?

Nothing particularly special about it. I just patched from 7.2 at the beginning of the month and am running through STIGS.

non-default packages are:

Symantec Endpoint Protection

Symantec Whole Disk Encryption

Brasero

system-config-date

oracle java 1.8.0

I've even thought about grep'ing the entire FS for ip_forward strings.

Yeah, grepping the entire fs for ip_forward might take long time, so I'd treat it like a last resort. At the very least, you could try grep ip_forward /etc/* -r and see if anything relevant comes up in the system's configuration.

My only guess (and this is just a BIG guess) is that either Oracle Java or the Symantec Endpoint Protection might have modified something to set automatically enable ip_forward. They seem like the most likely culprits. Unfortunately, I don't know much about how either installs so this is only just a guess. Plus if they had modified ip_forward, I would have thought they'd do it through the sysctl.d directories, which you've already checked.

Also, just to check this wasn't an operating system bug, I installed a fresh RHEL 7.3 system with base packages. sysctl definitely reports net.ipv4.ip_forward = 0 on a default RHEL 7.3 install.

Yes Daniel has suggested good point. I got into this blog where it says there is a separate "IPForward" parameter that could be set on individual interfaces, but need to test this, how this works in RHEL 7.x

May be worth checking your individual network interface settings...

https://github.com/systemd/systemd/blob/a2088fd025deb90839c909829e27eece40f7fce4/NEWS

Also, check if "libvirtd" service is running on your system, these below Red Hat KB's talks about disabling same which is otherwise, enables ip_forward though it is turned off in "sysctl.conf" file..

Why is 'ip_forward' enabled by default upon boot in Red Hat Enterprise Linux?

Why is ip_forward set to 1 when my system boots even when sysctl has ip_forward set to zero?

Also, I just tested and it seems that if you have masquerading enabled for any of your firewalld zones, then firewalld will automatically enable forwarding. Might be worth a look.

If one doesn't have forwarding enabled (verified by 'sysctl -a | grep forward) and then runs 'firewall-cmd --add-masquerade' you can then see that forwarding is now enabled (again, 'sysctl -a | grep forward).

Larry, have you got any success in fixing the issue? If so, please reply on how was the issue resolved? This might help others in the forum..

Hello everyone, no updates for you. I was on vacation for the latter part of the week. I'll read your responses and get back to you with input.

Thanks again for all the help/suggestions.

Good news! libvirtd was in fact, enabled. Disabling and rebooting seems to have fixed the issue. Thank you all!

That's a good news.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.