[Chilli] iptables rules for transparent proxy

John Lee john.cylee at gmail.com
Thu Nov 10 19:51:34 UTC 2011

Dear all,

I was hoping to post this to http://coova.org/node/2917
but failed to register to the forum, so, here it goes:

iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1

iptables -t nat -I prerouting_lan \! -d $(uci get network.lan.ipaddr)
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081

iptables -I input_chilli -p tcp -m tcp --dport 8081 -m mark --mark 0x1 -j ACCEPT

Some notes:

- This works with OpenWrt, but could be easily modified to suit other needs.

- My proxy listens at port 8081.

- This differs from HS_POSTAUTH_PROXYPORT because 1) I want to use
proxy before & after auth because I want to save the upload bandwidth
of the server coova redirected to, and 2) I don't want to open proxy
port to the user, because they can simply use it to bypass the captive
portal. The post I refer to (http://coova.org/node/2917) suggest doing
it in WAN, which can also work as long as we use the updated WAN ip
every time.

- Some scripts in the original post don't work anymore because DROP
can't be used in NAT table now.


More information about the Chilli mailing list