iptables based redirect, captive portal style

Question

What is an iptables set of rules that will force hosts connected to a access point that try to access any website (port 80 of any IP or hostname) to be redirected to another device on the network (which is actually separate)?

For example, the second server (hosting the web server) is connected via ethernet, and has a IP of 192.168.1.99/24 (eth0)

The primary server hosts a wireless hotspot (from adapter wlan0ap), and has an IP of 192.168.12.1/24. I want to make it so that any wifi users of the hotspot (in the 192.168.12.0/24 network) that try to access 192.168.12.1:80 or 192.168.12.4:80 or google.com:80 will be forcefully redirected to 192.168.1.99:80.

Currently, I have tried these rules in combination with enabling net.ipv4.ip_forward=1 settings in sysctl

sudo iptables -A POSTROUTING -t nat -o wlan0ap -j MASQUERADE
sudo iptables -t mangle -N internet
sudo iptables -t mangle -A PREROUTING -i wlan0ap -p tcp -m tcp --dport 80 -j internet
sudo iptables -t mangle -A PREROUTING -i wlan0ap -p tcp -m tcp --dport 443 -j internet
sudo iptables -t mangle -A internet -j MARK --set-mark 99
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination 192.168.1.98

Answer 1

Following rules should work (not tested):

iptables -t nat -A PREROUTING -i wlan0ap -p tcp --dport 80 -j DNAT  --to-destination  192.168.1.99:80
iptables -t nat -A PREROUTING -i wlan0ap -p tcp --dport 443 -j DNAT --to-destination  192.168.1.99:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Answer 2

you can use a option multiport. To redict all trafic on port 80,443 you can use:

iptables -t nat -A PREROUTING -i wlan0ap -p tcp -m multiport 80,443 -j DNAT --to-destination 192.168.1.99:80

If any user use de portal to login,

iptables -t nat -A PREROUTING -i wlan0ap -s ip_user -p tcp -ACCEPT

Our replace -s Ip -mac --source mac MAC