Firewall rule to redirect all http request to specific page


I'm running OpenWrt 18.06.4.

I already have Tinyproxy (1.8.3-2) configured on my router to block certain websites. What I'd like to do is have a firewall rule I could enable / disable that would redirect ALL HTTP(s) requests to a specific web page, based on MAC address(es). Is this possible with OpenWRT / Tinyproxy ? I would assume so.. Hoping I don't necessarily need other software installations on my router (?).

Thanks for your time.

Looks like what you need is a "captive portal", perhaps?

Wouldn't this be possible with the right iptables rules?
Or would you need a separate rule for every MAC address?

Well I already have an iptable rule that blocks by rejecting any forward based on MAC address, however, there is no option in action to 'redirect to url' instead of dropping or rejecting the request:

Redirecting to an url is not possible to my knowledge. The only thing that would be possible is to redirect to a IP address with Port.


That would work! Just need to redirect to my personal http server on port 80 and have it deal with the request. But how do I tell it to redirect to an IP address/port ??

I do also want to look into this "captive portals" from eduperez's suggestion....

firewall rules (iptables) only work on IP (or MAC). So you can not redir to a "specific web page". Exception is the root-page, which can be reached via http(s) using IP as URL.
https-redir will create some special problem, anyway, because of wrong cert.
"Captive Portal" is the best choice for your purpose.


I can take a look at which rules you would need and how to configure them (preferably in the luci interface). But you will need to wait until the end of the day, as I'm currently not at home.

With the Captive Portal @eduperez can probably help you better than I.

1 Like

That would be great !!! Million thanks! I'll still also try to dig into this Captive Portal software for OpenWrt....

Look for "transparent proxy" info, it's basically the same rule you need.


I've taken a look at some rules and came up with these:

iptables -t nat -A PREROUTING -m mac --mac-source 01:23:45:67:89:AB -d -p tcp --dport 80 -j DNAT --to-destination

This one makes sure that you can still acces your OpenWRT WebInterface. (I locked myself out multiple times)

iptables -t nat -A PREROUTING -m mac --mac-source 01:23:45:67:89:AB -p tcp --dport 443 -j DNAT --to-destination

This one routes all the https traffic to a specified IP.

iptables -t nat -A PREROUTING -m mac --mac-source 01:23:45:67:89:AB -p tcp --dport 80 -j DNAT --to-destination

This one routes all http traffic to a specified IP.

You have to change the MAC addresses and the destination IP to fit your environment. I couldn't find something where you can use multiple MAC addresses in one rule, so you will need to copy and change the rule for every MAC address you want it to apply to.

Hope this answers your original question.

To apply these via the LuCi Interface head to Firewall in the Network tab and add it in the Custom Rules tab.
After adding them you will need to restart the firewall. Doing so by heading into Firewall in the Status tab and clicking "Restart Firewall" in the top right.

@Ravenlost Did you have time to test the rules?

Hi @ASFP ! I didn't yet get a chance to look into the iptable solution you've provided, no. I've saved your solution.. Work as taken over my time, but as soon as I can test / nail down the right solution, I'll be sure to update here :wink: Thanks for your help :slight_smile:

1 Like