diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index fc33ebdccff0..5c58425c55ba 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -524,6 +524,8 @@ def initialize_gateway_device(dev, network_ref):
     if not network_ref:
         return
 
+    _execute('sysctl', '-w', 'net.ipv4.ip_forward=1', run_as_root=True)
+
     # NOTE(vish): The ip for dnsmasq has to be the first address on the
     #             bridge for it to respond to reqests properly
     full_ip = '%s/%s' % (network_ref['dhcp_server'],
diff --git a/nova/rootwrap/network.py b/nova/rootwrap/network.py
index 0a93a635bd4c..aa3cec7f977d 100755
--- a/nova/rootwrap/network.py
+++ b/nova/rootwrap/network.py
@@ -87,4 +87,7 @@ filterlist = [
 
     # nova/network/linux_net.py: 'ovs-ofctl', ....
     filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
+
+    # nova/network/linux_net.py: 'sysctl', ....
+    filters.CommandFilter("/sbin/sysctl", "root"),
     ]
diff --git a/nova/tests/test_linux_net.py b/nova/tests/test_linux_net.py
index f760acbecea8..1571a8bee656 100644
--- a/nova/tests/test_linux_net.py
+++ b/nova/tests/test_linux_net.py
@@ -426,6 +426,7 @@ class LinuxNetworkTestCase(test.TestCase):
             "    inet6 dead::beef:dead:beef:dead/64 scope link\n"
             "    valid_lft forever preferred_lft forever\n")
         expected = [
+            ('sysctl', '-w', 'net.ipv4.ip_forward=1'),
             ('ip', 'addr', 'show', 'dev', 'eth0', 'scope', 'global'),
             ('route', '-n'),
             ('ip', 'addr', 'del', '192.168.0.1/24',
@@ -449,6 +450,7 @@ class LinuxNetworkTestCase(test.TestCase):
             "    inet6 dead::beef:dead:beef:dead/64 scope link\n"
             "    valid_lft forever preferred_lft forever\n")
         expected = [
+            ('sysctl', '-w', 'net.ipv4.ip_forward=1'),
             ('ip', 'addr', 'show', 'dev', 'eth0', 'scope', 'global'),
             ('route', '-n'),
             ('route', 'del', 'default', 'gw', '192.68.0.1', 'dev', 'eth0'),
@@ -473,6 +475,7 @@ class LinuxNetworkTestCase(test.TestCase):
             "    inet6 dead::beef:dead:beef:dead/64 scope link\n"
             "    valid_lft forever preferred_lft forever\n")
         expected = [
+            ('sysctl', '-w', 'net.ipv4.ip_forward=1'),
             ('ip', 'addr', 'show', 'dev', 'eth0', 'scope', 'global'),
             ('ip', '-f', 'inet6', 'addr', 'change',
              '2001:db8::/64', 'dev', 'eth0'),
@@ -486,6 +489,7 @@ class LinuxNetworkTestCase(test.TestCase):
             "    inet6 dead::beef:dead:beef:dead/64 scope link\n"
             "    valid_lft forever preferred_lft forever\n")
         expected = [
+            ('sysctl', '-w', 'net.ipv4.ip_forward=1'),
             ('ip', 'addr', 'show', 'dev', 'eth0', 'scope', 'global'),
             ('route', '-n'),
             ('ip', 'addr', 'add', '192.168.1.1/24',