PREROUTING distinguish between INPUT and FORWARD packets

iptables

Solution 1:

I think you're doomed to having to manually list all your "local" IP addresses. Based on my reading of this netfilter packet flow diagram, there's no differentiation of input/forward packets until after all the PREROUTING chains -- which makes sense, because the chain is, after all, called PREROUTING...

Solution 2:

I just came across the addrtype module, which seems to be able to differentiate incoming packets depending on whether the destination address is a local address or not. So this can be used to distinguish between input and forward packets.

E.g. something like:

iptables -A PREROUTING -t nat -p tcp --dport 80 -m addrtype --dst-type LOCAL -j REDIRECT --to-port 8080

Related

msdeploy via jenkins & service account: connected but "could not authorize"?
CIFS/SAMBA Mount still attempts before network is ready even with _netdev
Filter LDAP user through PAM so it appears to not exist at all
How to fix time on NTP server with a lot of machines synchronized by it
automake error: Unescaped left brace in regex is deprecated
Forced to change expired password when using ssh key
Local administrator as default choice when in domain
Ansible become_user not picking up path correctly
Nginx status information of virtual hosts
Windows Server 2012 R2 and TCP slow start and Hyper-v hosts
How can I prevent spoofed emails from outside thats using my internal accepted domain
Determine target of NTFS reparse point