[Chilli] iptables rules for transparent proxy

John Lee john.cylee at gmail.com
Thu Nov 10 19:53:12 UTC 2011


On Fri, Nov 11, 2011 at 3:51 AM, John Lee <john.cylee at gmail.com> wrote:
> Dear all,
> I was hoping to post this to http://coova.org/node/2917
> but failed to register to the forum, so, here it goes:
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1
> iptables -t nat -I prerouting_lan \! -d $(uci get network.lan.ipaddr)
> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
> iptables -I input_chilli -p tcp -m tcp --dport 8081 -m mark --mark 0x1 -j ACCEPT

should be:
iptables -I input_lan -p tcp -m tcp --dport 8081 -m mark --mark 0x1 -j ACCEPT

> Some notes:
> - This works with OpenWrt, but could be easily modified to suit other needs.
> - My proxy listens at port 8081.
> - This differs from HS_POSTAUTH_PROXYPORT because 1) I want to use
> proxy before & after auth because I want to save the upload bandwidth
> of the server coova redirected to, and 2) I don't want to open proxy
> port to the user, because they can simply use it to bypass the captive
> portal. The post I refer to (http://coova.org/node/2917) suggest doing
> it in WAN, which can also work as long as we use the updated WAN ip
> every time.
> - Some scripts in the original post don't work anymore because DROP
> can't be used in NAT table now.
> Regards,
> John

More information about the Chilli mailing list