Score:1

iptables doesn't forward http traffic

cn flag

I am trying to create a captive portal, and the first thing to do is to redirect all traffic to specific IP:port.

I have tried:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <my-ip>:<my-port>

Which works when trying to test out the redirect on the same device that acts as a hotspot. I understood that requests from other users go through the PREROUTING chain, so I did the following:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <my-ip>:<my-port>

Now when I try to access IP xxx.xxx.xxx.xxx with another device, I get ERR_ADDRESS_UNREACHABLE. However if I try to reach <my-ip>, I do get redirected to another <my-port>. It's as if forwarding to the another port works, but forwarding to another IP doesn't. What could be the issue here?

I flushed iptables before the experiment, and all policies are ACCEPT.

*one of the answers asked for iptables-save, here is it:

    # Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*security
:INPUT ACCEPT [12750:14270713]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3688:960149]
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:bw_raw_PREROUTING - [0:0]
:clat_raw_PREROUTING - [0:0]
:idletimer_raw_PREROUTING - [0:0]
:nm_mdmprxy_raw_pre - [0:0]
:qcom_htimer_PREROUTING - [0:0]
:tetherctrl_raw_PREROUTING - [0:0]
-A PREROUTING -j qcom_htimer_PREROUTING
-A PREROUTING -j clat_raw_PREROUTING
-A PREROUTING -j bw_raw_PREROUTING
-A PREROUTING -j idletimer_raw_PREROUTING
-A PREROUTING -j tetherctrl_raw_PREROUTING
-A bw_raw_PREROUTING -i ipsec+ -j RETURN
-A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN
-A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
-A nm_mdmprxy_raw_pre -p tcp -m multiport --ports 5060 -j NOTRACK
-A nm_mdmprxy_raw_pre -p udp -m multiport --ports 5060 -j NOTRACK
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:oem_nat_pre - [0:0]
:tetherctrl_nat_POSTROUTING - [0:0]
-A PREROUTING -j oem_nat_pre
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.43.11:8080
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.43.11:8080
-A POSTROUTING -j tetherctrl_nat_POSTROUTING
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:bw_mangle_POSTROUTING - [0:0]
:idletimer_mangle_POSTROUTING - [0:0]
:nm_mdmprxy_icmp_pkt_marker - [0:0]
:nm_mdmprxy_mark_prov_chain - [0:0]
:nm_mdmprxy_mngl_post - [0:0]
:nm_mdmprxy_mngl_pre - [0:0]
:nm_mdmprxy_mngl_pre_ex - [0:0]
:nm_mdmprxy_mngl_pre_spi - [0:0]
:nm_mdmprxy_mngl_pre_tee - [0:0]
:nm_mdmprxy_pkt_forwarder - [0:0]
:nm_mdmprxy_pkt_marker - [0:0]
:nm_mdmprxy_pkt_skmark - [0:0]
:oem_mangle_post - [0:0]
:qcom_htimer_POSTROUTING - [0:0]
:qcom_qos_filter_POSTROUTING - [0:0]
:qcom_qos_reset_POSTROUTING - [0:0]
:routectrl_mangle_INPUT - [0:0]
:tetherctrl_mangle_FORWARD - [0:0]
:wakeupctrl_mangle_INPUT - [0:0]
-A INPUT -j wakeupctrl_mangle_INPUT
-A INPUT -j routectrl_mangle_INPUT
-A FORWARD -j tetherctrl_mangle_FORWARD
-A POSTROUTING -j qcom_htimer_POSTROUTING
-A POSTROUTING -j oem_mangle_post
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j qcom_qos_reset_POSTROUTING
-A POSTROUTING -j qcom_qos_filter_POSTROUTING
-A bw_mangle_POSTROUTING -o ipsec+ -j RETURN
-A bw_mangle_POSTROUTING -m policy --dir out --pol ipsec -j RETURN
-A bw_mangle_POSTROUTING -j MARK --set-xmark 0x0/0x100000
-A bw_mangle_POSTROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_egress_xtbpf
-A nm_mdmprxy_mark_prov_chain -p udp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mark_prov_chain -p tcp -m socket --transparent --nowildcard --restore-skmark -j nm_mdmprxy_pkt_skmark
-A nm_mdmprxy_mngl_post -m mark --mark 0xf0002 -j MARK --set-xmark 0x0/0xffffffff
-A nm_mdmprxy_pkt_marker -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mark_prov_chain
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_spi
-A nm_mdmprxy_pkt_marker -j nm_mdmprxy_mngl_pre_ex
-A nm_mdmprxy_pkt_marker -p udp -m udp --dport 7275 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -p udp -m udp --dport 5060 -j MARK --set-xmark 0xf0002/0xffffffff
-A nm_mdmprxy_pkt_marker -m mark --mark 0xf0002 -j nm_mdmprxy_pkt_forwarder
-A nm_mdmprxy_pkt_marker ! -p icmp -m mark --mark 0xf0002 -j DROP
-A nm_mdmprxy_pkt_skmark -j RETURN
-A qcom_qos_reset_POSTROUTING -o rmnet_data+ -j MARK --set-xmark 0x0/0xffffffff
-A routectrl_mangle_INPUT -i rmnet_data1 -j MARK --set-xmark 0xf0001/0xffefffff
-A routectrl_mangle_INPUT -i wlan0 -j MARK --set-xmark 0x30063/0xffefffff
-A tetherctrl_mangle_FORWARD -p tcp -m tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
# Generated by iptables-save v1.6.1 on Sun Jun 20 20:22:06 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Jun 20 20:22:06 2021
bocian85 avatar
cn flag
is this machine a NAT gateway for <my-ip> or a host that you were trying it to work for ? For this to work, traffic has to get through this machine. Sorry for stating the obvious here. A good practice would also be to add source or destination for the PREROUTING rule, as this might as well work in both directions which might not be what you wanted. Would it be a problem for you to show the output of `iptables-save` here to rule out some preceding rule that renders this one dormant ? Can you also specify the "nothing happens" ? You mean that there is a timeout in the browser ?
Nikola avatar
cn flag
<my-ip> is the address of the machine running the iptables and http server. iptables-save shows this, i will add it to the question. Opening the <my-ip> in browser gives "ERR_ADDRESS_UNREACHABLE"
bocian85 avatar
cn flag
can the host that you are trying to connect from connect to the target address ? host unreachable means that either the IP is not reachable or nothing listens on that port. You might try adding `-t nat -A POSTROUTING -d <my-ip>:<my-port> -J MASQUERADE` to eliminate the first problem
Nikola avatar
cn flag
I have added what you told me without the port (host/network <my-ip>:<my-port> not found). Still cannot access the webserver that runs on my machine by going to a random IP.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.