1

I have followed this tutorial to create an Access Point that redirects all http requests to my local served web page.

However https requests, due to certificate errors, do not get my page and instead act like they are loading for eternity.

I would like to create a kind of walled garden that allows https requests to access the internet but redirects http requests to my page since users are bound to click an http link after a while.

I am using a Raspberry Pi running Raspbian lite which is basically the same as Debian. Apache2 serves the web page, dnsmasq handles dhcp, and hostapd to create the access point.

/etc/hostapd/hostapd.conf

interface=wlan0
driver=nl80211
ssid=FreeWiFi
channel=6

/etc/dnsmasq.conf

log-facility=/var/log/dnsmasq.log
address=/#/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.10, 10.0.0.250,12h
no-resolv
log-queries

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet dhcp
iface wlan0 inet static address 10.0.0.1
netmask 255.255.255.0
broadcast 255.0.0.0
pre-up iptables-restore < /etc/iptables.rules

IP Tables Rules Created

sudo iptables -F
sudo iptables -i wlan0 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p udp --dport 67:68 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -j DROP
sudo sh -c "iptables-save > /etc/iptables.rules"

I am assuming I need to add another rule for port 443 to allow https requests. I am not sure how I should finish setting up dnsmasq and how to forward the trafic to my hardware connection eth0.

EDIT: Looking around it seems I might not need to change anything in dnsmasq but I just need to use some iptable rules to reroute https trafic to eth0? I do not know how to do that specifically for https requests though.

sudo iptables -nvL

Chain INPUT (policy ACCEPT 491 packets, 45444 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24                  tcp multiport dports 80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24                  tcp multiport dports 80

Chain OUTPUT (policy ACCEPT 413 packets, 52820 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0                    tcp dpt:443
    0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0                    tcp dpt:443

sudo iptables-save

# Generated by iptables-save v1.4.21 on Tue Mar  7 22:56:30 2017
*nat
:PREROUTING ACCEPT [1781:191954]
:INPUT ACCEPT [704:143612]
:OUTPUT ACCEPT [204:15231]
:POSTROUTING ACCEPT [219:16055]
-A PREROUTING -i wlan0 -p tcp -m tcp -m multiport --dports 80 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i wlan0 -p tcp -m tcp -m multiport --dports 80 -j DNAT --to-destination 10.0.0.1
COMMIT
# Completed on Tue Mar  7 22:56:30 2017
# Generated by iptables-save v1.4.21 on Tue Mar  7 22:56:30 2017
*filter
:INPUT ACCEPT [389:44149]
:FORWARD ACCEPT [84:3648]
:OUTPUT ACCEPT [376:86142]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 80 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 80 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar  7 22:56:30 2017
Improve this question
2
  • "https requests, due to certificate errors, do not get my page and instead act like they are loading for eternity" – that's just firewall configuration; if it actually was a certificate error you'd be getting a Big Red Error Message from the browser.
    – grawity_u1686
    Commented Mar 8, 2017 at 14:03
  • @grawity Ok that makes sense...Im having trouble with getting the correct firewall config to enable it to pass through though.
    – NULL
    Commented Mar 8, 2017 at 14:10

1 Answer 1

Reset to default
1 
iptables -A OUTPUT -o wlan0 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 1 -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED

iptables -A FORWARD -p tcp -m tcp -m multiport -d 192.168.2.2/32 -j ACCEPT --dports 80

iptables -A PREROUTING -t nat -p tcp -m tcp -m multiport -i wlan0 -j DNAT --to-destination 192.168.2.2 --dports 80

The first rule accepts encrypted traffic, and will be considered established on the return traffic.

Improve this answer
19
  • This looks like it will work!! But for the ip address do I use 10.0.0.1 which is the ip address I set in /etc/network/interfaces? So like for the second line 10.0.0.1/24 and for the third line 10.0.0.1?
    – NULL
    Commented Mar 7, 2017 at 19:09
  • When I ran the commands with 10.0.0.1/24 and 10.0.0.1 for the IP address the first 2 commands gave no errors but the last command said You must specify '--match-set' with proper arguments
    – NULL
    Commented Mar 7, 2017 at 19:23
  • sorry I made a copy and paste error. fixed. I took out the -m set. The IP address is where non-encrypted web traffic goes.
    – cybernard
    Commented Mar 7, 2017 at 19:29
  • Got that error out of the way but now it says iptables: No chain/target/match by that name. Should I add -t nat to the last command...I read that somewhere but I don't know if it applies.
    – NULL
    Commented Mar 7, 2017 at 19:36
  • Ok I had the wrong interface on the 3rd line, which line say no chain/target/match?
    – cybernard
    Commented Mar 7, 2017 at 19:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .