When deploying load balancers, gateways, firewalls, or routers in a network, IP forwarding plays a critical role in how traffic flows. But with this flexibility comes responsibility — especially when it comes to security.
This article explains what IP forwarding is, how it behaves in different load balancing scenarios (L4 vs L7), and what security best practices to follow — particularly when using RELIANOID with multiple network interfaces.
What Is IP Forwarding? #
IP forwarding is the ability of a system (like a Linux-based load balancer) to forward packets from one network interface to another — effectively routing packets that are not destined for the local machine.
Enabling IP Forwarding on Linux #
To enable temporarily:
echo 1 > /proc/sys/net/ipv4/ip_forward
To enable permanently:
# Edit /etc/sysctl.conf net.ipv4.ip_forward = 1 # Apply changes sysctl -p
Disabling IP Forwarding #
To disable temporarily:
echo 0 > /proc/sys/net/ipv4/ip_forward
To disable permanently:
# Edit /etc/sysctl.conf net.ipv4.ip_forward = 0 # Apply changes sysctl -p
Security risks enabling IP Forwarding #
Enabling IP forwarding in load balancers (or any Linux-based network device) can introduce security concerns if not carefully configured. Here’s a breakdown of what those concerns are and how to mitigate them.
Unintended Routing / Backdoor Access #
If IP forwarding is enabled without strict firewall rules, your system could unintentionally route traffic between interfaces (e.g., internal to external), acting as a bridge between isolated networks.
Source IP Spoofing #
If the load balancer forwards packets without validating source addresses, an attacker could spoof source IPs, causing issues with logging, rate-limiting, or bypassing ACLs on backend systems.
Open Relay for Packet Forwarding #
A misconfigured system could forward arbitrary packets between interfaces, making the load balancer a packet relay, usable in DDoS amplification attacks or data exfiltration.
Exposure to L3 Attacks (e.g., SYN Floods, Smurf Attacks) #
A forwarding-enabled load balancer can be used in certain layer 3 or 4 attacks, especially if it’s not protected by rate-limiting or proper filtering.
Bypassing Security Appliances #
If IP forwarding routes traffic around your firewall or IDS/IPS, malicious traffic might bypass inspection.
How RELIANOID Uses IP Forwarding #
When RELIANOID Load Balancer is configured with multiple network interfaces, IP forwarding is enabled by default. This allows the system to reduce routing hops and internally select the shortest path to backends, improving performance in NAT and multi-subnet configurations.
IP Forwarding: When It’s Required (and When It’s Not) #
| Load Balancer Mode | IP Forwarding Required? |
| L4 (Transport Layer) | Required if VIP and backends are on different subnets (e.g., NAT/DNAT topologies) |
| L7 (HTTP/S Proxy) | Not required, as the proxy terminates and re-initiates connections per hop |
Security Best Practices When IP Forwarding Must Be Enabled #
If your infrastructure requires IP forwarding, consider the following hardening strategies:
Set Interfaces Routing to Unmanaged in RELIANOID #
In Networking > Routing, switch from Managed to Unmanaged mode. This prevents internal routing table management and lateral path discovery.
Use Microsegmentation #
Define explicit endpoint-to-endpoint access rules using firewalls or security groups. Only permit traffic between authorized components (e.g., VIP ↔ backend).
Implement VLAN Tagging #
Enforce Layer 2 segmentation using VLANs to isolate internal/external traffic paths and restrict access at the hardware level.
While IP forwarding can be necessary — especially for L4 traffic or multi-interface setups — it also introduces risks. By combining RELIANOID’s Unmanaged Routing mode with network segmentation strategies like VLANs and microsegmentation, organizations can achieve both performance and strong security.
