always allow loopback access to forwared ports

cloudfoundry-attic · Dec 22, 2017 · ac65b4a · ac65b4a
1 parent 80ddd05
commit ac65b4a
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/jobs/port_forwarding/templates/bin/forward_ports.sh.erb b/jobs/port_forwarding/templates/bin/forward_ports.sh.erb
@@ -22,19 +22,19 @@ fi
 
 iptables -F ${CHAIN} || true
 
-# Reset in case when there is no localhost routing
-sysctl net.ipv4.conf.all.route_localnet=0
+sysctl net.ipv4.conf.all.route_localnet=1
 
 <% p("networking.port_forwarding").each do |rule| %>
 	<%
 		external_ip   = rule['external_ip']   || spec.address
 		external_port = rule['external_port'] || raise("Expected non-empty 'external_port' on '#{rule.inspect}' rule")
 		internal_ip   = rule['internal_ip']   || "127.0.0.1"
 		internal_port = rule['internal_port'] || raise("Expected non-empty 'internal_port' on '#{rule.inspect}' rule")
-	-%>
+	%>
+	# external clients
 	sudo iptables -t nat -A portforwarding-release -p tcp -d <%= external_ip %> --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %>
 
-	<% if internal_ip == "127.0.0.1" %>
-		sysctl net.ipv4.conf.all.route_localnet=1
-	<% end %>
+	# loopback
+	sudo iptables -t nat -A portforwarding-release -p tcp -d 127.0.0.1 --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %> -o lo
+
 <% end %>