!marvin

You could attache the WAN interface to a network providing DHCP. In that case you would recive the DHCP Address on WAN and you would have WLAN with the 172.16.42.0/24 subnet. LAN interface is not in use in this case. If you do not have access to the router on WAN side (Jasagers WAN Gateway). Hide the 172.16.42.0/24 behind the Jasager's WAN IP. Should look somehow like this (you can add the commands over the webinterface -> advanced tab): iptables -A FORWARD -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE I think IP forwarding is enabled by default, otherwise echo '1' > /proc/sys/net/ipv4/ip_forward That's it. Or you can use a 3G modem. But for that should be some info around in the forum.

1) Regarding your first point (running sslstrip before IPtabel): don't want to see my own password in the log file No, serious: didn't try that but makes sense. You probably do not even have to start the script first BUT you have to start it and it should not crash, otherwise you have to use ssh or the powercycle method to access the webinterface ... 2) Don't want to correct you :) . You are correct of course. I’m connecting from a different IP as you noted but not from 172.16.42.0/24 subnet. 3) Don't know if I got your idea but then it should be iptables -t nat -A PREROUTING -s ! 172.16.42.42 -p tcp --dport 80 -j ACCEPT Not testet, but as far as I remember the "!" add an exception So it would NAT everything but the management station. Maybe there is a way to get the IP of the management host (connection log: Pineapple authpriv.notice dropbear[10456]: Password auth succeeded for 'root' from x.x.x.x) an add an auto exception for this IP just in case the management connects not from 172.16.42.42. Was also only a little brainstorming. Maybe it's getting a little too complicated now and you better add only the standard iptable rules as planed and everyone needs to change it, can change the config file where the iptable commands are defined

Two cases I can think about iptable customization would help: 1) I sometimes use a topology where I connect the MK4 directly to the DSL Subnet but do not use a separate PC for connection sharing (ics). Therefor I hide (masquerade) normally the WLAN subnet behind the WAN Port IP address (DSL Range) with an iptable rule (safes me from creating back routes on DSL router ). This is more to iptables directly and has more or less nothing to do with your sslstrip module I guess. But the whole thinks works perfect - also with sslstrip :) 2) Correct me if I'm wrong but if I redirect the whole traffic to port 80 I will also not be able to connect to the MK4 webinterface anymore (with any topology). So that would be a second scenario where customization of iptable would help. Maybe it would be possible to enter just a source IP range from where redirection should take place? But you are absolutely right. It can also be done by ssh.

Sorry, didn't notice that. Just saw the print screens and the feature list saying: "- iptables rules automatically installed". There were nothing mentioned regarding „customizable“ iptable settings

cool, I would have a feature request :-) Would be great if iptable nat rules would be editable. Example do only NAT if source is in net x.x.x.x e.g.: iptables -t nat -A PREROUTING -p tcp -s 172.16.42.0/24 --destination-port 443 -j REDIRECT --to-ports 10000 Helps to access the port 80 webinterface if only some subnets are redirected :-)