The Linux box instantly turns into a router as soon as you run `sysctl net.ipv4.ip_forward=1`, because the default policy for FORWARD table is ACCEPT.

You need to explicitly reconfigure the iptables/nftables to prevent that from happening.

Some software, say LXD/Incus, enable forwarding automatically upon installation/startup, and do not configure firewall to block non-their traffic, making the machine an open router. I've reported that, the developers said that's by design (despite other virtualization/containerization systems block forwarding if they happen to enable the sysctl).

▲

3abiton 2 hours ago | parent [-]

A stupid question, what's the risk?

	▲	tremon 2 hours ago \| parent [-]
		The risk is minimal if you control or trust both networks. A network boundary is a natural choke point for access control, so that's where it's usually implemented. For an ipv4 boundary router (as is the topic of the post) you almost certainly need to configure Network Address Translation because your internal network addresses are non-routable on the Internet (at uni my dorm had public IP addresses for each student computer, fun times). As for the GP's example, running VM's or containers* on your own machine? I'd say the default ACCEPT policy is fine. However, silently changing such a setting on software installation is a problem because if the machine is multi-homed (i.e. has more than one network interface), you've now created a network route outside of the network admin's control. * The default for docker and podman is to use a private network, not a bridge anyway.