Redirect ALL HTTP/HTTPS requests to captive portal

Hello again!

I'm trying to redirect all users on my network onto one captive portal by using iptables like this:

iptables -t nat -A PREROUTING -d 192.168.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.1.114 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.114:80

This should redirect every HTTP address to 192.168.1.114, except for:

  • 192.168.1.1 (router gateway)
  • 192.168.1.114 (surfing to the portal doesn't need redirection to itself)

Now, when I try to access a random HTTP website, it simply just times out.
YES, I have tried to access 192.168.1.114 (the captive portal/server) from another device (which works)
YES, I have tried to access 192.168.1.1 from another device (which also works)

The server is accessible, it's something about the 3rd iptable rule is my guess, but I just can't figure it out.

I have also tried port 443 for HTTPS, but no succes either. They all time out as well.

Thanks in advance for helping me out!

Edit: I've come to a conclusion that perhaps when the server replies, the router shits itself because it doesn't know where the original packet came from after it was rerouted?

Have you tried wiresharking from the client?

1 Like

To see if I get any data from the server you mean? No not yet, let me try.

Nope, no data at al.
Just like I said, it simply times out.

Well nevermind, I actually found the solution.

I was supposed to add iptables -t nat -A POSTROUTING -j MASQUERADE to the end of the rules list.

Can someone explain to me why though?

I've read it "It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic."

So what does Masquerade do in this context? Why was this the solution to my problem?
Thanks again!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.