diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go
index 4549d07cdf2..cad9bcefa2c 100644
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -399,6 +399,20 @@ func NewProxyServer(config *componentconfig.KubeProxyConfiguration, cleanupAndEx
 	proxyMode := getProxyMode(string(config.Mode), iptInterface, iptables.LinuxKernelCompatTester{})
 	if proxyMode == proxyModeIPTables {
 		glog.V(0).Info("Using iptables Proxier.")
+		var nodeIP net.IP
+		if config.BindAddress == "0.0.0.0" || config.BindAddress == "" {
+			nodeIP = getNodeIP(client, hostname)
+		} else {
+			nodeIP = net.ParseIP(config.BindAddress)
+			if nodeIP == nil {
+				return nil, fmt.Errorf("bind-address %s must be valid ip", config.BindAddress)
+			}
+			if local, err := isLocalIP(nodeIP.String()); err != nil {
+				return nil, fmt.Errorf("can't determine if IP is local, assuming not: %v", err)
+			} else if !local {
+				return nil, fmt.Errorf("bind-address %s must be local ip", config.BindAddress)
+			}
+		}
 		if config.IPTables.MasqueradeBit == nil {
 			// MasqueradeBit must be specified or defaulted.
 			return nil, fmt.Errorf("unable to read IPTables MasqueradeBit from config")
@@ -415,7 +429,7 @@ func NewProxyServer(config *componentconfig.KubeProxyConfiguration, cleanupAndEx
 			int(*config.IPTables.MasqueradeBit),
 			config.ClusterCIDR,
 			hostname,
-			getNodeIP(client, hostname),
+			nodeIP,
 			recorder,
 			healthzServer,
 		)
@@ -699,3 +713,20 @@ func getNodeIP(client clientset.Interface, hostname string) net.IP {
 	}
 	return nodeIP
 }
+
+func isLocalIP(ip string) (bool, error) {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return false, err
+	}
+	for i := range addrs {
+		intf, _, err := net.ParseCIDR(addrs[i].String())
+		if err != nil {
+			return false, err
+		}
+		if net.ParseIP(ip).Equal(intf) {
+			return true, nil
+		}
+	}
+	return false, nil
+}