redirect specified traffic to external server with dd-wrt

Recently I have to do some redirection based on iptables on DD-WRT powerd router. I didn’t find any useful information on google, so this is how I had done this.

First of all, redirection will be done for all packets going to port 80 to internet from every host connected to internal network. Here is script that I have used for this redirection:

#!/bin/sh
PROXY_IP=[IP]
PROXY_PORT=[PORT]
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d ! $LAN_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -p tcp -d $LAN_NET -j SNAT --to $PROXY_IP
iptables -A FORWARD -i vlan1 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

To use this script You must just change [IP] to IP address that traffic will be redirected, and [PORT] to port to which traffic will be redirected. Then go to Administration/Commands and paste this (of course with changed ip and port of proxy), then save firewall. After that everything should work.

This script will redirect all requests done on port 80 to our PROXY_IP and PROXY_PORT.

LAN_IP is the routers internal interface address, and LAN_NET is network configured on that interface, so there is no need to reconfigure this script if You will change configuration of router.

Of course You can change port which should be redirected to PROXY, to do this just change destination port (which is described by –dport 80) to 443 (if You want to redirect all https traffic), so this line should be like this – to redirect all https requests to proxy server:

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d ! $LAN_IP -p tcp --dport 443 -j DNAT --to $PROXY_IP:$PROXY_PORT

For more explanation, the first line (the one beginning with “iptables”) is used to redirect all traffic on given port to proxy server, the second one is used to know where packets going from proxy server must go (to internal hosts), and the last one permits that packet on firewall.

 

If You need more info please let me know – leave comment and I will reply asap.

11 Comments on “redirect specified traffic to external server with dd-wrt

  1. No there is no issues with this page, and nothing with Style sheet… everything works like a charm. Do not know what is going on, and why You are having issues.

  2. Im still learning from you, as Im trying to achieve my goals. I definitely enjoy reading all that is posted on your website.Keep the tips coming. I enjoyed it!

  3. I was very pleased to find this web-site.I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you blog post.

  4. Hi, thanks for the post,
    Can I ask you a question.. how would the script look if I want to redirect all the traffic on all the ports from the wireless network that I have to a specific proxy url – for example “proxy.url.com”

    Thank You!

    • I do not know if it is possible to redirect all traffic to proxy. But if You want to achieve this try this one:

      #!/bin/sh
      PROXY_IP=[IP]
      PROXY_PORT=[PORT]
      LAN_IP=`nvram get lan_ipaddr`
      LAN_NET=$LAN_IP/`nvram get lan_netmask`

      iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d ! $LAN_IP -j DNAT –to $PROXY_IP:$PROXY_PORT
      iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -d $LAN_NET -j SNAT –to $PROXY_IP
      iptables -A FORWARD -i vlan1 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp –dport $PROXY_PORT -j ACCEPT

      Maybe it will work, but I am not sure in 100%.

  5. Actually is it possible to redirect all https requests to proxy server using dd-wrt…we have tried and has hit a road block.

    any suggestions?

    • Running into a similar issue with HTTPS. I believe the browser is looking to complete the SSL handshake to continue, and if whatever you’re redirecting to can’t do that… it’ll stop. That’s what I’m seeing. I believe this can be fixed but I am guessing will still result in an ugly cert error.

  6. Hi,
    I don’t understand one line from your script:

    iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -p tcp -d $LAN_NET -j SNAT –to $PROXY_IP

    It doesn’t make sense…you change the source IP adress to $PROXY_IP for packets leaving to local lan, that already have the source packets address $PROXY_IP.

    I’m trying without success to make this work.

    Thanks!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.