Redirect to local network without allow_localnet

viraptor asked:

I’d like to redirect incoming external traffic to a service which listens on The redirection is easy – just:

iptables -t nat -A PREROUTING \
    -d local_ip --dport 80 \
    -j DNAT --to-destination

but this leaves the packet on eth0 and it’s just logged as martian and dropped by default. I can enable route_localnet on eth0 to fix this, but that exposes the whole interface to weird routing tricks.

How do I forward it correctly without route_localnet?

My answer:

The correct way to handle this is to have the application listen on the correct interface and/or IP address, not, and use iptables only to allow traffic, not to play weird NAT tricks.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.