Why must the attacker enable IP forwarding (sysctl -w net.ipv4.ip_forward=1) on their machine when performing ARP-poisoning MitM?
Without IP forwarding, the attacker becomes a black hole — packets arrive but aren't relayed. Forwarding makes the attacker a transparent router so the victim's traffic still reaches its real destination.
Without forwarding:
Victim → Attacker → ... 💀 (dropped)
The victim's connection dies. They notice ("internet broken!"), reboot, switch networks → MitM defeated by user reaction.
With forwarding:
Victim → Attacker (sniffs) → Gateway → Internet → ✓
The attacker reads everything in transit but transparently forwards. The victim never notices because their browsing keeps working.
What forwarding actually does:
By default, Linux drops packets whose destination IP isn't its own. With net.ipv4.ip_forward=1, the kernel acts like a router:
- Packet arrives for some other IP
- Look up the routing table
- Forward to the next hop
Commands:
# Check current state
sysctl net.ipv4.ip_forward
# Output: net.ipv4.ip_forward = 0 (disabled)
# Enable
sudo sysctl -w net.ipv4.ip_forward=1
# Persist across reboots
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
Same for IPv6:
sudo sysctl -w net.ipv6.conf.all.forwarding=1
The key insight:
The "Man in the Middle" must be invisible to both endpoints. IP forwarding makes the attacker functionally identical to a router — packets transit through, get sniffed, then continue.
Why iptables also matters:
Ettercap relies on iptables redirect rules to steer intercepted packets into its own listener. In the etter.conf file you uncomment the four redir_command_on/off lines under the Linux section — these enable the NAT redirection so that, combined with IP forwarding, Ettercap can sit in-path and forge replies (e.g. for dns_spoof). Note: this does not let you read HTTPS — TLS traffic stays encrypted; that's why the attack pivots to DNS spoofing + a fake HTTP page rather than reading the real HTTPS session.
Tip: Detection idea — if a non-router host on your network has IP forwarding enabled, that's suspicious. Some EDR tools watch for this exact change.
Go deeper:
IP routing (Wikipedia) — how a host forwards packets destined for other IPs, i.e. what the kernel flag turns on.
Man-in-the-middle attack (Wikipedia) — why the attacker must relay transparently to stay invisible.