[Chilli] iptables rules for transparent proxy
John Lee
john.cylee at gmail.com
Thu Nov 10 19:51:34 UTC 2011
Dear all,
I was hoping to post this to http://coova.org/node/2917
but failed to register to the forum, so, here it goes:
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1
iptables -t nat -I prerouting_lan \! -d $(uci get network.lan.ipaddr)
-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
iptables -I input_chilli -p tcp -m tcp --dport 8081 -m mark --mark 0x1 -j ACCEPT
Some notes:
- This works with OpenWrt, but could be easily modified to suit other needs.
- My proxy listens at port 8081.
- This differs from HS_POSTAUTH_PROXYPORT because 1) I want to use
proxy before & after auth because I want to save the upload bandwidth
of the server coova redirected to, and 2) I don't want to open proxy
port to the user, because they can simply use it to bypass the captive
portal. The post I refer to (http://coova.org/node/2917) suggest doing
it in WAN, which can also work as long as we use the updated WAN ip
every time.
- Some scripts in the original post don't work anymore because DROP
can't be used in NAT table now.
Regards,
John
More information about the Chilli
mailing list