I'd like to do an iptables REDIRECT rule in the NAT PREROUTING chain, to redirect connections to port 80 to go to 8080. But I'd like to only do it for input packets (destined for this machine), not forwarded packets (destined for e.g. the Internet).
Is there a way, in rules in the PREROUTING chain, to distinguish packets that are destined for this machine, versus packets that are being forwarded, and handle them differently?
It would be ideal to do this in a way that doesn't require specific interfaces or IP addresses to be enumerated in the rules, because this is less flexible (e.g. if interfaces or IP addresses change, it's more complicated to then need to update iptables rules).
I think you're doomed to having to manually list all your "local" IP addresses. Based on my reading of this netfilter packet flow diagram, there's no differentiation of input/forward packets until after all the PREROUTING chains -- which makes sense, because the chain is, after all, called PREROUTING...
I just came across the
addrtypemodule, which seems to be able to differentiate incoming packets depending on whether the destination address is a local address or not. So this can be used to distinguish between input and forward packets.E.g. something like: