why loopback-hosting server cann't serve external requests

Background

When I was following the RAG example promptflow-resource-hub to trace my application through a promtflow server hosted on the loopback interface, as the local env is a virtual machine on Azure, and after I add NSG rule to allow the requests to 23333 port to the virtual machine and add an iptables rule to DNAT the tcp requests to port 2333 to localhost:2333, the trace server is still unreachable from browser. After some investigations without success, stackoverflow gave the answer to enable route_localnet by this thread.

Explanations

Let's take Linux v6.9.3 for example, per the following code in function ip_rcv, function ip_rcv_finish will be called after NF_INET_PRE_ROUTING, which will finally call ip_route_input_slow for routing decision defined in route.c

	return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
		       net, NULL, skb, dev, NULL,
		       ip_rcv_finish);

This snippet of code at the beginning of ip_route_input_slow checks when the destination is loopback IP address, and the route_localnet is turned off, the code will skip the normal route and goto martian_destination. martian destination represents the destination is not on the Earth, but an invalid or non-existing one.

	/* Following code try to avoid calling IN_DEV_NET_ROUTE_LOCALNET(),
	 * and call it once if daddr or/and saddr are loopback addresses
	 */
	if (ipv4_is_loopback(daddr)) {
		if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net))
			goto martian_destination;
	} else if (ipv4_is_loopback(saddr)) {
		if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net))
			goto martian_source;
	}