http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1
I have a service running on 127.0.0.1 with port 2222. I need to forward all requests to 192.168.2.2:2222 (outside IP) only from subnet 192.168.1.0/24 to 127.0.0.1:2222.
I'm trying to use this, but it's not working.
$ iptables -t nat -I PREROUTING -p tcp -d 192.168.1.0/24 --dport 2222 -j DNAT --to-destination 127.0.0.1:2222
How can I get this to work?
We need some clarification. Where is the traffic coming from? Where is the traffic originally going to? Where should the traffic be going to? As I read it, you want traffic from 192.168.1.0/24 to 127.0.0.1:2222 to be redirected to 12.23.34.45:2222. But Warren's answer assumes you want traffic from 192.168.1.0/24 to 12.23.34.45:2222 to be redirected to 127.0.0.1:222 – Patrick Jan 29 at 13:37
Traffic comes from 192.168.1.0/24 subnet to 192.168.2.2:2222 and should be translated to service on 127.0.0.1:2222. I'm corrected address scheme. – SimWhite Jan 29 at 14:27
You want a rule that allows traffic to port 2222 on the loopback interface from subnet 192.168.1.0/24? That isn't just a single rule type of setup. See here: debuntu.org/… – slm♦ Jan 29 at 14:35
Yes. As I understand I need to add masq rule? IP forwarding is already enabled of course. – SimWhite Jan 29 at 14:47
Why not run it on a "real" IP, and filter out traffic comming from unwanted sources? That is what firewalls are for, essentially... – vonbrand Feb 3 at 1:04
The iptables rule you are using will work, but there is one additional change you need to make:
sysctl -w net.ipv4.conf.eth0.route_localnet=1
(replacing eth0 with the nic 192.168.2.2 resides on)
By default this value is 0, which instructs the kernel to not route external traffic destined to 127.0.0.0/8. This is just for security as such traffic is not normal.
This info is surprisingly hard to find. – Warren T. May 16 at 4:06
You can redirect to localhost but not to loopback (127.0.0.0/8). Loopback is a loophole. You have to redirect to one of your real interfaces. Try using REDIRECT.
iptables -t nat -A PREROUTING ..... -j REDIRECT --to-port 222