I am trying to implement Hairpinning (aka NAT Loopback) for a router using iptables.
Specifically, I want to match packets coming from the internal network destined for the router's own IP address in the PREROUTING chain, and apply DNAT to them, similar to:
iptables -t nat -A PREROUTING -i ens192 -d <self> -p tcp --dport 80 -j DNAT --to-destination 192.168.42.42
Usually, you would replace <self>
with the router's own IP address. However, I can't / don't want to do that, for two reasons:
- The router's public IP address is not static, it is acquired through DHCP and can change any time.
- I don't want to hardcode the IP address because this is a potential error source when changing the configuration later (and forgetting to update the iptables rule accordingly).
Is there another way to check if the packet has the local machine as its destination in the PREROUTING chain, without using static addresses?
0 Answers