Either create a redirect matching all the mac addresses to send to proxy, or you'll have to create a chain where you'll exclude the non matching macs and capture the rest.
I am starting to get confused on how I can do this the more I look into this...
I prefer doing this with mac addresses, but I can't find a way online to make openwrt exclude multiple mac addresses
I don't mind doing this with ip addresses, but with ip tables it seems like you can only target the entire subnet.
I am so confused and I don't know where to start. I have so many tabs open rn
Edit: so, I took a step back and gave this another try, and I got it to work by just reading the link I provided above.
I am just not able to think when I feel overwhelmed and stuff, but I got it working now thankfully. Sorry for not getting it right away and asking for more help when the answer was right in front of my eyes.
(note to clarify: I would had preferred to use mac addresses, but ip addresses are fine)
iptables -t nat -A prerouting_lan_rule -p tcp --syn -m addrtype ! --dst-type LOCAL,BROADCAST -j test
iptables -t nat -N test
iptables -t nat -A test src_mac 00:11:22... ACCEPT
iptables -t nat -A test src_mac 00:AA:BB... ACCEPT
iptables -t nat -A test src_mac 00:BB:CC... ACCEPT
iptables -t nat -A test -j REDIRECT to port 9040
My syntax is not all correct, you'll need to verify it before deploying it.
I don't know if I need to install an iptables mod or which mod, or if I am supposed to replace src_mac with something else. I also don't know why would putting accept at the end prevent devices from going through the proxy
iptables -t nat -A PREROUTING -p tcp --syn -m addrtype --dst-type LOCAL,BROADCAST -j ACCEPT
iptables -t nat -N wdevs
iptables -t nat -A PREROUTING -m mac --mac-source 2c:f6:e8:f3:b6:ee -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source c4:cb:eb:29:32:c6 -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source e0:a5:d3:d4:37:9b -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 9040
I made this much progress but it doesn't seem to be working. All my traffic is going through tor now which is good, but the mac addresses are not being excluded. (also, "-a test" is invalid as you probably know, I wish it was valid but oh well). I wanted to try drop or reject just as a test to see if these commands are making an effect at all, but it was not compatible with the -t nat option. I guess I would have to try something different if I wanted to test it (if I need to)
I tried to remove -t nat from the lines that include the mac addresses, it made no effect
I also removed the exclamation point after addrtype, this was not letting me access luci.
I'll look at this again later or when I get a response
Note: These are not my mac addresses
Edit: I changed input to prerouting and it worked! let's go! My first two edits probably need to be deleted though, I don't mind that much if they aren't removed
Restore the default firewall tcp_in rule and remove everything else you've done so far.
Create a file named maclist in the /root directory and insert the mac addresses of the devices you want to exclude from the redirection rule (one mac address per line)
11:22:33:44:55:66
AA:BB:CC:DD:EE:FF
Insert the following into /etc/firewall.user
maclist="/root/maclist"
while IFS= read -r macaddress
do
iptables -t nat -A prerouting_rule -m mac --mac-source "$macaddress" -p tcp --dport 9040 -j ACCEPT
done < "$maclist"
Restart the firewall.
Check if the rules are created running iptables -t nat -nvL prerouting_rule
If the rules are not created after restarting the router:
uci set firewall.@include[0].reload='1'
uci commit firewall
Restore the default firewall tcp_int rule and remove everything else you've done so far.
I am guessing by this you mean to create a tcp_int rule that is just like the tor guide states
What is IFS? I don't understand this line. I am guessing this reads the file line, and.... I forgot the keyword. So basically it runs the same command until there's no more lines in the file
Is there an advantage for using this method instead of the one suggested by Trendy? Which one would you guess takes less power? Power usage is important for me since this is meant for a travel router that will rely on a powerbank.
The script is not working. I am not connected to tor on any of my devices now. All the outputs are below
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
maclist="/root/maclist"
while IFS= read -r macaddress
do
iptables -t nat -A prerouting_rule -m mac --mac-source "$macaddress" -p tcp --dport 9040 -j ACCEPT
done < "$maclist"
currently all devices are using tor [update]. See reply that was not sent since I lost connection while troubleshooting
I got tor to work by running this again and then restarted tor and the firewall
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn -m addrtype ! --dst-type LOCAL,BROADCAST"
uci set firewall.tcp_int.target="DNAT"
# Disable LAN to WAN forwarding
uci -q delete firewall.@forwarding[0]
uci commit firewall
# Restart services
/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart
But now the device that's supposed to not be using tor is using tor. It's an android device. I'll try to figure out why this is happening, but I am 90% pretty sure the mac address is correct
I think you understand what I am trying to do but something must had gone wrong.
