iptables doesn't forward http traffic

Question

Score:1

Server

iptables doesn't forward http traffic

Nikola

10/20/22, 6:03 PM

I am trying to create a captive portal, and the first thing to do is to redirect all traffic to specific IP:port.

I have tried:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <my-ip>:<my-port>

Which works when trying to test out the redirect on the same device that acts as a hotspot. I understood that requests from other users go through the PREROUTING chain, so I did the following:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <my-ip>:<my-port>

Now when I try to access IP xxx.xxx.xxx.xxx with another device, I get ERR_ADDRESS_UNREACHABLE. However if I try to reach <my-ip>, I do get redirected to another <my-port>. It's as if forwarding to the another port works, but forwarding to another IP doesn't. What could be the issue here?

I flushed iptables before the experiment, and all policies are ACCEPT.

*one of the answers asked for iptables-save, here is it:

    # Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*security
:INPUT ACCEPT [12750:14270713]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3688:960149]
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:bw_raw_PREROUTING - [0:0]
:clat_raw_PREROUTING - [0:0]
:idletimer_raw_PREROUTING - [0:0]
:nm_mdmprxy_raw_pre - [0:0]
:qcom_htimer_PREROUTING - [0:0]
:tetherctrl_raw_PREROUTING - [0:0]
-A PREROUTING -j qcom_htimer_PREROUTING
-A PREROUTING -j clat_raw_PREROUTING
-A PREROUTING -j bw_raw_PREROUTING
-A PREROUTING -j idletimer_raw_PREROUTING
-A PREROUTING -j tetherctrl_raw_PREROUTING
-A bw_raw_PREROUTING -i ipsec+ -j RETURN
-A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN
-A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
-A nm_mdmprxy_raw_pre -p tcp -m multiport --ports 5060 -j NOTRACK
-A nm_mdmprxy_raw_pre -p udp -m multiport --ports 5060 -j NOTRACK
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:oem_nat_pre - [0:0]
:tetherctrl_nat_POSTROUTING - [0:0]
-A PREROUTING -j oem_nat_pre
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.43.11:8080
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.43.11:8080
-A POSTROUTING -j tetherctrl_nat_POSTROUTING
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:bw_mangle_POSTROUTING - [0:0]
:idletimer_mangle_POSTROUTING - [0:0]
:nm_mdmprxy_icmp_pkt_marker - [0:0]
:nm_mdmprxy_mark_prov_chain - [0:0]
:nm_mdmprxy_mngl_post - [0:0]
:nm_mdmprxy_mngl_pre - [0:0]
:nm_mdmprxy_mngl_pre_ex - [0:0]
:nm_mdmprxy_mngl_pre_spi - [0:0]
:nm_mdmprxy_mngl_pre_tee - [0:0]
:nm_mdmprxy_pkt_forwarder - [0:0]
:nm_mdmprxy_pkt_marker - [0:0]
:nm_mdmprxy_pkt_skmark - [0:0]
:oem_mangle_post - [0:0]
:qcom_htimer_POSTROUTING - [0:0]
:qcom_qos_filter_POSTROUTING - [0:0]
:qcom_qos_reset_POSTROUTING - [0:0]
:routectrl_mangle_INPUT - [0:0]
:tetherctrl_mangle_FORWARD - [0:0]
:wakeupctrl_mangle_INPUT - [0:0]
-A INPUT -j wakeupctrl_mangle_INPUT
-A INPUT -j routectrl_mangle_INPUT
-A FORWARD -j tetherctrl_mangle_FORWARD
-A POSTROUTING -j qcom_htimer_POSTROUTING
-A POSTROUTING -j oem_mangle_post
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j qcom_qos_reset_POSTROUTING
-A POSTROUTING -j qcom_qos_filter_POSTROUTING
-A bw_mangle_POSTROUTING -o ipsec+ -j RETURN
-A bw_mangle_POSTROUTING -m policy --dir out --pol ipsec -j RETURN
-A bw_mangle_POSTROUTING -j MARK --set-xmark 0x0/0x100000
-A bw_mangle_POSTROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_egress_xtbpf
-A nm_mdmprxy_mark_prov_chain -p udp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mark_prov_chain -p tcp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mngl_post -m mark --mark 0xf0002 -j MARK --set-xmark 0x0/0xffffffff
-A nm_mdmprxy_pkt_marker -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mark_prov_chain
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_spi
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_ex
-A nm_mdmprxy_pkt_marker -p udp -m udp --dport 7275 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -p udp -m udp --dport 5060 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -m mark --mark 0xf0002 -j nm_mdmprxy_pkt_forwarder
-A nm_mdmprxy_pkt_marker ! -p icmp -m mark --mark 0xf0002 -j DROP
-A nm_mdmprxy_pkt_skmark -j RETURN
-A qcom_qos_reset_POSTROUTING -o rmnet_data+ -j MARK --set-xmark 0x0/0xffffffff
-A routectrl_mangle_INPUT -i rmnet_data1 -j MARK --set-xmark 0xf0001/0xffefffff
-A routectrl_mangle_INPUT -i wlan0 -j MARK --set-xmark 0x30063/0xffefffff
-A tetherctrl_mangle_FORWARD -p tcp -m tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Jun 20 20:22:06 2021

143

0 + 4

linux

firewall

iptables

port-forwarding

iptables doesn't forward http traffic

Post an answer