Profile Applicability:
 • Level 1

Description:
 IP forwarding allows a system to forward network packets between interfaces, effectively acting as a router. Disabling IP forwarding on systems not intended to route traffic prevents unauthorized traffic forwarding and network misconfigurations.

Rationale:
 Disabling IP forwarding limits the system’s role to its intended function, reducing the risk of unintended network traffic routing or man-in-the-middle attacks.

Impact:
 Pros:

  • Minimizes exposure to network-based attacks involving packet forwarding.

  • Simplifies network security posture.

Cons:

  • Disabling IP forwarding on routing devices may disrupt legitimate network functions.

Default Value:
 IP forwarding is typically disabled by default on non-routing systems.

Pre-requisites:

  • Root or sudo privileges to modify system network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current IP forwarding status:

sysctl net.ipv4.ip_forward

2. Confirm the value is 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable IP forwarding temporarily:

sysctl -w net.ipv4.ip_forward=0

2. Persist the setting by editing /etc/sysctl.conf or a file in /etc/sysctl.d/ to include:

net.ipv4.ip_forward = 0

3. Reload sysctl settings:

sysctl -p

Backout Plan:

Using Linux command line:

1. Re-enable IP forwarding if necessary:

sysctl -w net.ipv4.ip_forward=1

2. Update configuration files accordingly and reload sysctl.

References: