Redirect to local network without allow_localnet

viraptor asked:

I’d like to redirect incoming external traffic to a service which listens on 127.0.0.1. The redirection is easy – just:

iptables -t nat -A PREROUTING 
    -d local_ip --dport 80 
    -j DNAT --to-destination 127.0.0.1:port

but this leaves the packet on eth0 and it’s just logged as martian and dropped by default. I can enable route_localnet on eth0 to fix this, but that exposes the whole interface to weird routing tricks.

How do I forward it correctly without route_localnet?

My answer:


The correct way to handle this is to have the application listen on the correct interface and/or IP address, not 127.0.0.1, and use iptables only to allow traffic, not to play weird NAT tricks.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.