diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc
index eda1a6d..c0ba066 100644
--- a/doc/manuals/chapters/running.adoc
+++ b/doc/manuals/chapters/running.adoc
@@ -226,3 +226,44 @@ tunmap
 
 When running more than one osmo-upf process on a system, pick distinct table
 names to avoid name collisions in the nftables rulesets.
+
+=== IP Forwarding
+
+In order to allow forwarding GTP payloads, the Linux operating system must
+be configured to allow IP forwarding.
+
+Note that there are many distribution-specific ways to configure this, and there
+might be higher-level firewall rule management software available like `ufw`.
+You should configure firewall rules matching your distribution and setup.
+
+To allow IP forwarding from and to all interfaces globally in a reboot-safe way,
+you may put a line like this in /etc/sysctl.conf:
+
+----
+net.ipv4.ip_forward=1
+----
+
+To do the same in an ad-hoc way that is not reboot safe but takes effect
+immediately:
+
+----
+sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
+----
+
+It is also possible to instruct the firewall to allow IP forwarding for specific
+network devices only. For example, on a Debian based system, place an nft
+ruleset like this in `/etc/nftables.conf`:
+
+----
+define gtp_netdevs = { eth0, eth23 };
+
+table inet filter {
+      chain forward {
+              type filter hook forward priority filter; policy drop;
+              iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept
+      }
+}
+----
+
+This ruleset allows IP forwarding, but limited to the GTP-U port 2152,
+and to two specific network devices eth0 and eth23.