1

I have followed this tutorial to create an Access Point that redirects all http requests to my local served web page.

However https requests, due to certificate errors, do not get my page and instead act like they are loading for eternity.

I would like to create a kind of walled garden that allows https requests to access the internet but redirects http requests to my page since users are bound to click an http link after a while.

I am using a Raspberry Pi running Raspbian lite which is basically the same as Debian. Apache2 serves the web page, dnsmasq handles dhcp, and hostapd to create the access point.

/etc/hostapd/hostapd.conf

interface=wlan0 driver=nl80211 ssid=FreeWiFi channel=6

/etc/dnsmasq.conf

log-facility=/var/log/dnsmasq.log address=/#/10.0.0.1 interface=wlan0 dhcp-range=10.0.0.10, 10.0.0.250,12h no-resolv log-queries

/etc/network/interfaces

auto lo iface lo inet loopback iface eth0 inet dhcp iface wlan0 inet static address 10.0.0.1 netmask 255.255.255.0 broadcast 255.0.0.0 pre-up iptables-restore < /etc/iptables.rules

IP Tables Rules Created

sudo iptables -F sudo iptables -i wlan0 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -i wlan0 -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -i wlan0 -A INPUT -p udp --dport 53 -j ACCEPT sudo iptables -i wlan0 -A INPUT -p udp --dport 67:68 -j ACCEPT sudo iptables -i wlan0 -A INPUT -j DROP sudo sh -c "iptables-save > /etc/iptables.rules"

I am assuming I need to add another rule for port 443 to allow https requests. I am not sure how I should finish setting up dnsmasq and how to forward the trafic to my hardware connection eth0.

EDIT: Looking around it seems I might not need to change anything in dnsmasq but I just need to use some iptable rules to reroute https trafic to eth0? I do not know how to do that specifically for https requests though.

sudo iptables -nvL

Chain INPUT (policy ACCEPT 491 packets, 45444 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/24 tcp multiport dports 80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/24 tcp multiport dports 80 Chain OUTPUT (policy ACCEPT 413 packets, 52820 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * wlan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * wlan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

sudo iptables-save

# Generated by iptables-save v1.4.21 on Tue Mar 7 22:56:30 2017 *nat :PREROUTING ACCEPT [1781:191954] :INPUT ACCEPT [704:143612] :OUTPUT ACCEPT [204:15231] :POSTROUTING ACCEPT [219:16055] -A PREROUTING -i wlan0 -p tcp -m tcp -m multiport --dports 80 -j DNAT --to-destination 10.0.0.1 -A PREROUTING -i wlan0 -p tcp -m tcp -m multiport --dports 80 -j DNAT --to-destination 10.0.0.1 COMMIT # Completed on Tue Mar 7 22:56:30 2017 # Generated by iptables-save v1.4.21 on Tue Mar 7 22:56:30 2017 *filter :INPUT ACCEPT [389:44149] :FORWARD ACCEPT [84:3648] :OUTPUT ACCEPT [376:86142] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -d 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 80 -j ACCEPT -A FORWARD -d 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 80 -j ACCEPT -A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT COMMIT # Completed on Tue Mar 7 22:56:30 2017
Improve this question
2
  • "https requests, due to certificate errors, do not get my page and instead act like they are loading for eternity" – that's just firewall configuration; if it actually was a certificate error you'd be getting a Big Red Error Message from the browser. Commented Mar 8, 2017 at 14:03
  • @grawity Ok that makes sense...Im having trouble with getting the correct firewall config to enable it to pass through though. Commented Mar 8, 2017 at 14:10

1 Answer 1

Reset to default
1 
iptables -A OUTPUT -o wlan0 -p tcp --dport 443 -j ACCEPT iptables -I INPUT 1 -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED iptables -A FORWARD -p tcp -m tcp -m multiport -d 192.168.2.2/32 -j ACCEPT --dports 80 iptables -A PREROUTING -t nat -p tcp -m tcp -m multiport -i wlan0 -j DNAT --to-destination 192.168.2.2 --dports 80

The first rule accepts encrypted traffic, and will be considered established on the return traffic.

Improve this answer
19
  • This looks like it will work!! But for the ip address do I use 10.0.0.1 which is the ip address I set in /etc/network/interfaces? So like for the second line 10.0.0.1/24 and for the third line 10.0.0.1? Commented Mar 7, 2017 at 19:09
  • When I ran the commands with 10.0.0.1/24 and 10.0.0.1 for the IP address the first 2 commands gave no errors but the last command said You must specify '--match-set' with proper arguments Commented Mar 7, 2017 at 19:23
  • sorry I made a copy and paste error. fixed. I took out the -m set. The IP address is where non-encrypted web traffic goes. Commented Mar 7, 2017 at 19:29
  • Got that error out of the way but now it says iptables: No chain/target/match by that name. Should I add -t nat to the last command...I read that somewhere but I don't know if it applies. Commented Mar 7, 2017 at 19:36
  • Ok I had the wrong interface on the 3rd line, which line say no chain/target/match? Commented Mar 7, 2017 at 19:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.