diff --git a/common/config.go b/common/config.go
index e7340acf1a1fa6dd02a8ef88ec0d73e5a6ed96c4..76425bbb616ad7e5196b67764fac38c55ced681f 100644
--- a/common/config.go
+++ b/common/config.go
@@ -22,6 +22,7 @@ import (
 )
 
 type DockerPullPolicy string
+type DockerSysCtls map[string]string
 
 const (
 	PullPolicyAlways       = "always"
@@ -76,6 +77,7 @@ type DockerConfig struct {
 	PullPolicy             DockerPullPolicy  `toml:"pull_policy,omitempty" json:"pull_policy" long:"pull-policy" env:"DOCKER_PULL_POLICY" description:"Image pull policy: never, if-not-present, always"`
 	ShmSize                int64             `toml:"shm_size,omitempty" json:"shm_size" long:"shm-size" env:"DOCKER_SHM_SIZE" description:"Shared memory size for docker images (in bytes)"`
 	ServicesTmpfs          map[string]string `toml:"services_tmpfs,omitempty" json:"services_tmpfs" long:"services-tmpfs" env:"DOCKER_SERVICES_TMPFS" description:"A toml table/json object with the format key=values. When set this will mount the specified path in the key as a tmpfs volume in all the service containers, using the options specified as key. For the supported options, see the documentation for the unix 'mount' command"`
+	SysCtls                DockerSysCtls     `toml:"sysctls,omitempty" json:"sysctls" long:"sysctls" env:"DOCKER_SYSCTLS" description:"Sysctl options, a toml table/json object of key=value. Value is expected to be a string."`
 }
 
 type DockerMachine struct {
diff --git a/config.toml.example b/config.toml.example
index 22c5d377b2507032d8426800be5699731def1362..90c19d2df50306ad7d233fa1ffc88be35a28ad5e 100644
--- a/config.toml.example
+++ b/config.toml.example
@@ -36,6 +36,8 @@ concurrent = 4
     privileged = false
     disable_cache = false
     cache_dir = ""
+    [runners.docker.sysctls]
+      "net.ipv4.ip_forward" = "1"
   [runners.ssh]
     port = "22"
     user = "root"
diff --git a/docs/configuration/advanced-configuration.md b/docs/configuration/advanced-configuration.md
index 0fb4e7c1a4e39482f65a2291ac90f1abfe496a44..7fa08fb934253fe2f8d57ae4828bebe0f9cba5b7 100644
--- a/docs/configuration/advanced-configuration.md
+++ b/docs/configuration/advanced-configuration.md
@@ -130,6 +130,7 @@ This defines the Docker Container parameters.
 | `allowed_images`            | specify wildcard list of images that can be specified in .gitlab-ci.yml. If not present all images are allowed (equivalent to `["*/*:*"]`) |
 | `allowed_services`          | specify wildcard list of services that can be specified in .gitlab-ci.yml. If not present all images are allowed (equivalent to `["*/*:*"]`) |
 | `pull_policy`               | specify the image pull policy: `never`, `if-not-present` or `always` (default); read more in the [pull policies documentation](../executors/docker.md#how-pull-policies-work) |
+| `sysctls`                   | specify the sysctl options |
 
 Example:
 
@@ -158,6 +159,8 @@ Example:
   services = ["mysql", "redis:2.8", "postgres:9"]
   allowed_images = ["ruby:*", "python:*", "php:*"]
   allowed_services = ["postgres:9.4", "postgres:latest"]
+  [runners.docker.sysctls]
+    "net.ipv4.ip_forward" = "1"
 ```
 
 ### Volumes in the [runners.docker] section
diff --git a/executors/docker/executor_docker.go b/executors/docker/executor_docker.go
index f77709d3d0d88cee3e65e334104df54b2d0c4bae..ae4c70780de3565482e1e73dc04452b08b3407e0 100644
--- a/executors/docker/executor_docker.go
+++ b/executors/docker/executor_docker.go
@@ -785,6 +785,7 @@ func (s *executor) createContainer(containerType string, imageDefinition common.
 		LogConfig: container.LogConfig{
 			Type: "json-file",
 		},
+		Sysctls: s.Config.Docker.SysCtls,
 	}
 
 	// this will fail potentially some builds if there's name collision
diff --git a/executors/docker/executor_docker_test.go b/executors/docker/executor_docker_test.go
index a13416a18b667f4ab727782889bb8940493846c0..a38a497cb7b710d896c6a5c2632fe7727b616e9b 100644
--- a/executors/docker/executor_docker_test.go
+++ b/executors/docker/executor_docker_test.go
@@ -951,6 +951,20 @@ func TestDockerUserNSSetting(t *testing.T) {
 
 }
 
+func TestDockerSysctlsSetting(t *testing.T) {
+	dockerConfig := &common.DockerConfig{
+		SysCtls: map[string]string{
+			"net.ipv4.ip_forward": "1",
+		},
+	}
+
+	cce := func(t *testing.T, config *container.Config, hostConfig *container.HostConfig) {
+		assert.Equal(t, "1", hostConfig.Sysctls["net.ipv4.ip_forward"])
+	}
+
+	testDockerConfigurationWithJobContainer(t, dockerConfig, cce)
+}
+
 func init() {
 	docker_helpers.HomeDirectory = ""
 }