13
3
Suppose I have a network with a server routing all connections from inside the network to the Internet. How can I set up iptables so that instead of routing incoming connections to the Internet, it instead routes them to localhost port 8080. All help is appreciated.
DankMemes
Posted 2013-10-18T12:53:15.173
Reputation: 449
6
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
Alex Antonov
Posted 2013-10-18T12:53:15.173
Reputation: 122
2
I experimented with this. The ip_forward sysctl is not necessary. However the route_localnet option here is. I see now this is exactly what Juan Cespedes' answer states.
– Matt Joiner – 2015-02-08T02:23:22.2671don't use bold .... – None – 2013-10-18T13:11:43.453
Thanks! I haven't tried this yet but I suspect what I've been missing is the ip forwarding command. And next time, please use code blocks, not bold. – DankMemes – 2013-10-18T13:16:12.930
@AlexAntonov please use code blocks. Select your text in edit mode and click the brackets icon. – DankMemes – 2013-10-18T13:18:36.737
@ZoveGames, sorry, fixed it. – Alex Antonov – 2013-10-18T13:29:00.837
Is the ip_forward setting needed at all? – Pavel Šimerda – 2013-10-19T22:51:18.640
@PavelŠimerda, yes, this parameter is required, because traffic won't be forwarded between interfaces without it. – Alex Antonov – 2013-10-20T06:36:00.823
@AlexAntonov I don't think this is forwarding between interfaces. Did you actually try with ip_forward=0? – Pavel Šimerda – 2013-10-20T07:44:42.170
31
that can be done with iptables, but only with kernel >= 3.6.
You will have to do:
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
ip_forward is not necessary, because the packet is not forwarded, but if you don't include the sysctl for route_localnet (which works only in kernels >= 3.6), the packet will be dropped by the kernel because it considers it a "martian", coming from the outside and having a destination address of 127.0.0.1
Juan Cespedes
Posted 2013-10-18T12:53:15.173
Reputation: 434
Yup, that works – Nick De Greek – 2016-02-15T14:09:39.707
Did not know about route_localnet. So old school and couldn't figure out why ip_forward wasnt working (suspected it wasn't needed but tried anyway). – dmourati – 2016-11-01T03:38:19.953
1Make sure you save net.ipv4.conf.all.route_localnet=1 in /etc/sysctl.conf otherwise it won't be persistent and after reboot the variable will go back to 0, causing the packet dropped. Then it would be very hard to figure why now everything is not working... it happened to me. ;) – viz – 2018-03-12T18:23:33.357
Sorry to necro an old question but is there an ipv6 equivalent of net.ipv4.conf.all.route_localnet for use with ip6tables? – Kebian – 2019-07-10T02:56:39.720
The problem is that with simple redirection (destination IP address NAT) you will lose the original destination IP address. Do you want to setup a transparent HTTP proxy or should it process other protocols than HTTP too? – pabouk – 2013-10-18T13:14:51.933
It doesn't matter if its transparent or not – DankMemes – 2013-10-18T14:49:17.497
Redirecting all the traffic to a proxy is a base for transparent proxy :) – pabouk – 2013-10-18T15:54:16.150
Here's another answer that really helped me out:
http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1/112232