Kernel IP forwarding not enabled for ethernet interface on boot

Question

To enable IP forwarding on boot in Debian, you put the following in /etc/sysctl.conf:

net.ipv4.ip_forward=1

I've done it thousands of times, and it has always worked without issues. But there is this one Debian Buster machine on which forwarding is enabled for all interfaces except the ethernet interface. In /proc/sys/net/ipv4/conf/ I have the following:

dr-xr-xr-x 1 root root 0 Nov  6 08:07 all
dr-xr-xr-x 1 root root 0 Nov  6 08:07 default
dr-xr-xr-x 1 root root 0 Nov  6 07:53 enp0s25
dr-xr-xr-x 1 root root 0 Nov  6 08:07 lo
dr-xr-xr-x 1 root root 0 Nov  6 08:07 tun-mega

The content of all files is 1, except enp0s25, which is 0. So the forwarding does not work until I enable it manually. I've tried to enable it specifically in /etc/sysctl.conf:

net.ipv4.conf.enp0s25.forwarding=1

But it makes no difference. I notice that the file enp0s25 has a different timestamp, so that may be the key to understanding what is going on.

Maybe systemd-networkd is enabled on that machine? systemctl status systemd-networkd If so I think you might need to create an additional config file https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/ — Henrik Pingel, Nov 06 '20 at 09:40
@HenrikPingel No, systemd-networkd is not enabled, I've checked. — Nikša Baldun, Nov 06 '20 at 10:22
You could create a service that should start very early (before procps or networking), and would log the output of `ip monitor netconf` which will catch changes like `sysctl -w net.ipv4.conf.enp0s25.forwarding=0`. `ip monitor` monitors events and thus never ends. — A.B, Nov 07 '20 at 11:00
@A.B Good idea, however not having done something like that before, I ended up rendering the system unbootable. Any pointer on how such service should look like? — Nikša Baldun, Nov 12 '20 at 19:10
I would think a simple type service that simply starts ip monitor netconf. The information will be in the logs and journal. With StandardOutput=journal (or syslog or ...) — A.B, Nov 12 '20 at 19:40

score 1 · Accepted Answer · answered Mar 19 '21 at 10:21

It turns out it is a bug in ifupdown2 utility, which I was unaware was even installed. Until bug resolution gets into Buster, the workaround is to set ip-forward parameter in /etc/network/interfaces:

iface enp0s25 inet static
    address x.x.x.x
    netmask 255.255.255.0
    gateway x.x.x.x
    ip-forward 1

Kernel IP forwarding not enabled for ethernet interface on boot

1 Answers1