From aeacbe60caae6e65bd64994a4ca2eb2668cade7f Mon Sep 17 00:00:00 2001
From: Jerry Vonau <jvonau3@gmail.com>
Date: Tue, 3 Jul 2018 09:00:45 -0500
Subject: [PATCH] tweaking iptables for captive portal

---
 .../templates/gateway/iiab-gen-iptables        | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables
index 7ec8f3bf0..3b9e8959a 100755
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@@ -105,8 +105,9 @@ if [  "$gw_block_https" == "True" ]; then
 fi
 
 # Allow outgoing connections from the LAN side.
-$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
-
+if ! [ "$captive_portal_enabled" == "True" ];then
+    $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
+fi
 # Don't forward from the outside to the inside.
 $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
 $IPTABLES -A INPUT -i $wan -j DROP
@@ -116,14 +117,17 @@ if [ "$block_DNS" == "True" ];then
     $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
 fi
 
+#if [ "$captive_portal_enabled" == "True" ];then
+#   $IPTABLES -t mangle -N internet
+#   $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet
+#   $IPTABLES -t mangle -A internet -j MARK --set-mark 99
+#   $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}:
+
 if [ "$captive_portal_enabled" == "True" ];then
-   $IPTABLES -t mangle -N internet
-   $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet
-   $IPTABLES -t mangle -A internet -j MARK --set-mark 99
-   $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}
+    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:9090
 
 elif [ "$HTTPCACHE_ON" == "True" ]; then
-    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d 172.18.96.1 -j DNAT --to 172.18.96.1:3128
+    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
 fi
 
 # Enable routing.