I just learned this:
Of course. Locally generated packets don’t go into the PREROUTING chain.
(from this post)
My thought about this is: you should all burn in hell. You, who decided this rule, in the deepest, fiery of hells, eaten by the cruellest devils, half of your body in black ice and half in an even blacker flame.
If local generated packets don’t go through prerouting, DNAT to localhost is always *half* performed (when the packet enters is DNATted in prerouting, but when exits it no longer passes through prerouting and DNAT can do nothing).
So. WTF someone decided local generated packets don’t go through PREROUTING?!?!
