LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why must the attacker enable IP forwarding (sysctl -w net.ipv4.ip_forward=1) on their machine when performing ARP-poisoning MitM?

Without IP forwarding, the attacker becomes a black hole — packets arrive but aren't relayed. Forwarding makes the attacker a transparent router so the victim's traffic still reaches its real destination.

Without forwarding:

Victim → Attacker → ... 💀 (dropped)

The victim's connection dies. They notice ("internet broken!"), reboot, switch networks → MitM defeated by user reaction.

With forwarding:

Victim → Attacker (sniffs) → Gateway → Internet → ✓

The attacker reads everything in transit but transparently forwards. The victim never notices because their browsing keeps working.

What forwarding actually does:

By default, Linux drops packets whose destination IP isn't its own. With net.ipv4.ip_forward=1, the kernel acts like a router:

  • Packet arrives for some other IP
  • Look up the routing table
  • Forward to the next hop

Commands:

# Check current state
sysctl net.ipv4.ip_forward
# Output: net.ipv4.ip_forward = 0 (disabled)

# Enable
sudo sysctl -w net.ipv4.ip_forward=1

# Persist across reboots
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Same for IPv6:

sudo sysctl -w net.ipv6.conf.all.forwarding=1

The key insight:

The "Man in the Middle" must be invisible to both endpoints. IP forwarding makes the attacker functionally identical to a router — packets transit through, get sniffed, then continue.

Why iptables also matters:

Ettercap relies on iptables redirect rules to steer intercepted packets into its own listener. In the etter.conf file you uncomment the four redir_command_on/off lines under the Linux section — these enable the NAT redirection so that, combined with IP forwarding, Ettercap can sit in-path and forge replies (e.g. for dns_spoof). Note: this does not let you read HTTPS — TLS traffic stays encrypted; that's why the attack pivots to DNS spoofing + a fake HTTP page rather than reading the real HTTPS session.

Tip: Detection idea — if a non-router host on your network has IP forwarding enabled, that's suspicious. Some EDR tools watch for this exact change.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 05, 2026