Redirect Outbound HTTP to port 53 iptables

Solution 1

From your question it isn't clear what you want to do (or even that you know what you want to do), so here's a few pointers:

• -t nat -- gets you to the NAT table, this is where you want to be for what it sounds like you want to do
• -A POSTROUTING - the POSTROUTING table is for AFTER the routing decision has been made. Usually means the traffic is on its way out. You can change SOURCE addresses, but not DESTINATION addresses here.
• -A PREROUTING - the PREROUTING table is for BEFORE the routing decision has been made. If you want to change where the packet goes, then do it here. It sounds like this is what you want.
• -A OUTPUT - the OUTPUT table is for outbound packets that originated (or were otherwise modified) by a local process, and specifically NOT for packets that your server is handling in the role of a router/switch/gateway. This is a convenient place to put rules for traffic that your server is generating on its own.
• -j REDIRECT - doesn't do what you think it does. Probably not what you want.
• -j SNAT - Source Network Address Translation. This is for changing the source address or source port. If you want to change where the packet came from, then use this target
• -j DNAT - Destination Network Address Translation. This is for changing the destination address or port. If you want to change where the packet goes, then use this target.

So, to modify traffic passing through a router destined for port 80 and change that destination to port 53, you can use this:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to :53

This will do exactly what you asked for. Specifically, it will make all websites unreachable.

Solution 2

Since you seem to be asking about traffic originating at the router itself, you should not be using the PREROUTING chain but the OUTPUT chain. Also, if the traffic is originating at the router itself, it is a much better option to change the configuration of the processes initiating the connection to simply use a different destination port.

If this is not working for you for whatever reason, you can use the DNAT target like

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to :53

note though that since the destination servers are not expecting HTTP requests at port 53, you likely would not get any meaningful responses unless you revert the translation at some point behind the captive portal. You might consider tunneling through to a host under your control outside the restricted network (e.g. using OpenVPN) and simply route the requests through the tunnel instead.

Related videos on Youtube

01 : 22

Use IPTables to Redirect ProxMox HTTPS Web UI Traffic

i12bretro

309

34 : 05

iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1)

Hussein Nasser

28

09 : 34

Using iptables for port redirection

theurbanpenguin

8

02 : 24

Unix & Linux: How can I redirect outbound traffic to port 80 using iptables locally?

Roel Van de Paar

8

03 : 01

DevOps & SysAdmins: Redirect Outbound HTTP to port 53 iptables (3 Solutions!!)

Roel Van de Paar

2

Author by

Eric

Updated on September 18, 2022