tweaking iptables for captive portal

roles/network/templates/gateway/iiab-gen-iptables

@@ -105,8 +105,9 @@ if [  "$gw_block_https" == "True" ]; then
 fi
 
 # Allow outgoing connections from the LAN side.
-$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
-
+if ! [ "$captive_portal_enabled" == "True" ];then
+    $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
+fi
 # Don't forward from the outside to the inside.
 $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
 $IPTABLES -A INPUT -i $wan -j DROP
@@ -116,14 +117,17 @@ if [ "$block_DNS" == "True" ];then
     $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
 fi
 
+#if [ "$captive_portal_enabled" == "True" ];then
+#   $IPTABLES -t mangle -N internet
+#   $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet
+#   $IPTABLES -t mangle -A internet -j MARK --set-mark 99
+#   $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}:
+
 if [ "$captive_portal_enabled" == "True" ];then
-   $IPTABLES -t mangle -N internet
-   $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet
-   $IPTABLES -t mangle -A internet -j MARK --set-mark 99
-   $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}
+    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:9090
 
 elif [ "$HTTPCACHE_ON" == "True" ]; then
-    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d 172.18.96.1 -j DNAT --to 172.18.96.1:3128
+    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
 fi
 
 # Enable routing.