How to enable ip masquerading/forwarding on CentOS 7

Posted August 29, 2014 90.6k views

I want to enable IP masquerading/forwarding on CentOS 7, but when I specify net.ipv4.conf.default.forwarding=1 in /etc/sysctl.conf, it doesn’t work.

Can any one help with this problem?

1 comment
  • Another variant for Centos 6 will work on Centos 7.

    /sbin/sysctl -w net.ipv4.ip_forward=1

    But temporary.

    You should add:

    net.ipv4.ip_forward = 1

    into file



    /sbin/sysctl -p

    or reboot

    it work!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

To enable IP forwarding, uncomment this line in /etc/sysctl.conf

$ cat /etc/sysctl.conf | grep ip_forward
  • only for centos 6
    in my installation of Centos 7:

    cat /etc/sysctl.conf

    System default settings live in /usr/lib/sysctl.d/00-system.conf.

    To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file

    For more information, see sysctl.conf(5) and sysctl.d(5).

    so, you should add into the file


/usr/lib/.... path usually for packages,daemon,services that you install or exist when you installed your os . Relevant config also may exist in /etc/..

/etc/.. path is the place where you as a administrator should be configuring

for ip forwarding you should not be touching any file on /usr/lib/…
same goes for firewalld, systemd for them /etc/firewalld/.. or /etc/systemd/…

you can directly edit the good ol /etc/sysctl.conf or preferably /etc/sysctl.d/99-sysctl.conf

the 99-sysctl.conf is symbolic link to the /etc/sysctl.conf

upon reboot or sysctl -p allows the systemd-sysctl service read the link/nonlink files if they exist if not read sysctl.conf and make necessary entry in /usr/lib/.. and/or load your defined or other variables that there exist and ofcourse giving you ip forwarding for this scenario.

in simple al custom goes in /etc/

you should not be editing /usr/lib/sysctl.d/50-default.conf

you can edit /etc/sysctl.conf
or /etc/sysctl.d/ 99-sysctl.conf
or /etc/sysctl.d/<numberdigits and nameappropriatelyaccordingtoyourpurpose>.conf

the last one is user created it dont have to be a linked file. systemd-sysctl will load the values

I google searched and this was the first result. I wanted to add a comment here on my “opinion” of how to implement this.

So when reading the file /etc/sysctl.conf, it seems we have a few options (none are wrong because they all work) listed out. One area not mentioned, which in my opinion, I like more, is where it says:

To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.

So after running sudo -s I then ran echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/100-sysctl.conf.
Why did I choose to name the file 100-sysctl.conf? Because there was a file in there that was 99-sysctl.conf

You can run sudo sysctl -a | grep ip_forward or without sudo sysctl -a | grep ip_forward to verify it’s there. I would suggest doing a sudo reboot now and then running this sysctl command to verify the setting sticks after reboot.

Future State : Started a gist for this that covers ipv6 too :
Would love to have contributors on there or stars if you found this useful! Thanks!