Linuxをルーターに改造！OS内部では一体何が起きているのか？

Linuxマシンを単なるエンドホストからルーターへと変貌させた際、システム内部でどのような技術的変化が生じているのかを深掘りします。IPフォワーディング（net.ipv4.ip_forward）の有効化に伴うパケット処理フローの切り替わり、TTL（Time To Live）の減算処理、ルーティングテーブルの参照プロセス、そしてファイアウォール（iptables/nftables）によるフィルタリングの挙動など、Linuxが「ネットワークの中継地点」として機能するための核心部分を解説します。

That's not a router, that's a CPE, and one without IPv6 support.

Used to run a virtualized firewall setup. And then one day discovered that somewhere along the lines I had made a change (or an update changed something) that meant proxmox admin interface was being served publicly. That's despite confirming during initial setup that it isn't.

So now I do not do any funky stuff with firewalls anymore. Separate appliance with opnsense bare metal.

The Linux box instantly turns into a router as soon as you run sysctl net.ipv4.ip_forward=1, because the default policy for FORWARD table is ACCEPT.

You need to explicitly reconfigure the iptables/nftables to prevent that from happening.

Some software, say LXD/Incus, enable forwarding automatically upon installation/startup, and do not configure firewall to block non-their traffic, making the machine an open router. I've reported that, the developers said that's by design (despite other virtualization/containerization systems block forwarding if they happen to enable the sysctl).