Redirect to local network without allow_localnet

viraptor asked:

I’d like to redirect incoming external traffic to a service which listens on The redirection is easy – just:

iptables -t nat -A PREROUTING \
    -d local_ip --dport 80 \
    -j DNAT --to-destination

but this leaves the packet on eth0 and it’s just logged as martian and dropped by default. I can enable route_localnet on eth0 to fix this, but that exposes the whole interface to weird routing tricks.

How do I forward it correctly without route_localnet?

My answer:

The correct way to handle this is to have the application listen on the correct interface and/or IP address, not, and use iptables only to allow traffic, not to play weird NAT tricks.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.