ipv4.ip_forward=0 not persisting in RHEL 7.3
I've entered the following in sysctl.conf:
net.ipv4.ip_forward=0
and yet upon reboot, if I run:
/sbin/sysctl -a | grep net.ipv4.ip_forward
I am always returned a 1, unless I manually enter:
sysctl -p /etc/sysctl.conf
...which obviously doesn't survive a reboot.
I've also checked for this entry in conf files at the following locations:
/usr/lib/sysctl.d
/run/sysctl.d
/etc/sysctl.d
...and even tried entering the same rule into the conf files at these locations, if they exist.
I'm not sure what else to do at this point. Am I missing something...? This is driving me nuts.
Responses
So net.ipv4.ip_forward is set to 0 by default in the kernel so it should be disabled without needing to explicitly set it in /etc/sysctl.conf.
I think either one of two things is happening:
- There's a rogue
net.ipv4.ip_forwardrule that sysctl is reading from somewhere. You mentioned you couldn't find the rule in the main config directories (/etc/sysctl.d is where I would have looked first) so I'm stumped as to where else it could be. - There could be something pushing 1 to
/proc/sys/net/ipv4/ip_forwardduring boot. It might be a service that starts up or a script that runs during boot.
Anything special about this RHEL 7.3 system? What are you using it for? Any non-default packages installed?
Yeah, grepping the entire fs for ip_forward might take long time, so I'd treat it like a last resort. At the very least, you could try grep ip_forward /etc/* -r and see if anything relevant comes up in the system's configuration.
My only guess (and this is just a BIG guess) is that either Oracle Java or the Symantec Endpoint Protection might have modified something to set automatically enable ip_forward. They seem like the most likely culprits. Unfortunately, I don't know much about how either installs so this is only just a guess. Plus if they had modified ip_forward, I would have thought they'd do it through the sysctl.d directories, which you've already checked.
Also, just to check this wasn't an operating system bug, I installed a fresh RHEL 7.3 system with base packages. sysctl definitely reports net.ipv4.ip_forward = 0 on a default RHEL 7.3 install.
Yes Daniel has suggested good point. I got into this blog where it says there is a separate "IPForward" parameter that could be set on individual interfaces, but need to test this, how this works in RHEL 7.x
May be worth checking your individual network interface settings...
https://github.com/systemd/systemd/blob/a2088fd025deb90839c909829e27eece40f7fce4/NEWS
Also, check if "libvirtd" service is running on your system, these below Red Hat KB's talks about disabling same which is otherwise, enables ip_forward though it is turned off in "sysctl.conf" file..
Why is 'ip_forward' enabled by default upon boot in Red Hat Enterprise Linux?
Why is ip_forward set to 1 when my system boots even when sysctl has ip_forward set to zero?
Also, I just tested and it seems that if you have masquerading enabled for any of your firewalld zones, then firewalld will automatically enable forwarding. Might be worth a look.
If one doesn't have forwarding enabled (verified by 'sysctl -a | grep forward) and then runs 'firewall-cmd --add-masquerade' you can then see that forwarding is now enabled (again, 'sysctl -a | grep forward).
Larry, have you got any success in fixing the issue? If so, please reply on how was the issue resolved? This might help others in the forum..
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
