diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index e0232769f7..9a5684433d 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -105,6 +105,7 @@ docker_client_timeout: 120
 # Docker networking options
 docker_disable_default_iptables_rules: "yes"
 docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
+docker_disable_ip_forward: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs
 docker_log_max_file: "5"
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 3d1123ba86..3061ad3e96 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -118,6 +118,20 @@
     docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
   when: docker_disable_default_network | bool
 
+- name: Warn about docker ip_forward
+  debug:
+    msg: >-
+      Docker ip_forward will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_ip_forward to false.
+  when: not docker_disable_ip_forward | bool
+
+- name: Disable docker ip_forward
+  set_fact:
+    docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
+  when: docker_disable_ip_forward | bool
+
 - name: Merge custom docker config
   set_fact:
     docker_config: "{{ docker_config | combine(docker_custom_config) }}"
diff --git a/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml
new file mode 100644
index 0000000000..48c8823a23
--- /dev/null
+++ b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Adds a new flag, ``docker_disable_ip_forward``, which
+    defaults to ``docker_disable_default_iptables_rules`` and is used to
+    disable docker's ``ip-forward`` option which makes docker set
+    ``net.ipv4.ip_forward`` sysctl to ``1``.
+    This is to protect from creating all-forwarding hosts.
+    `LP#1931615 <https://launchpad.net/bugs/1931615>`__