Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Posts posted by !marvin

  1. You could attache the WAN interface to a network providing DHCP.

    In that case you would recive the DHCP Address on WAN and you would have WLAN with the subnet. LAN interface is not in use in this case.

    If you do not have access to the router on WAN side (Jasagers WAN Gateway). Hide the behind the Jasager's WAN IP.

    Should look somehow like this (you can add the commands over the webinterface -> advanced tab):

    iptables -A FORWARD -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A POSTROUTING -t nat -j MASQUERADE

    I think IP forwarding is enabled by default, otherwise

    echo '1' > /proc/sys/net/ipv4/ip_forward

    That's it.

    Or you can use a 3G modem. But for that should be some info around in the forum.

  2. Regarding (2), if sslstrip is running BEFORE adding the iptables rule, you can still access the pineapple interface (you are redirected yourself through sslstrip).

    Correct me if I wrong, but this command would not help as we are accessing the pineapple with the IP which is in the source subnet of this iptables rule

    iptables -t nat -A PREROUTING -p tcp -s --destination-port 443 -j REDIRECT --to-ports 10000

    except if you are accessing your pineapple from a different subnet like, right ?

    We could add the following rule to not redirect our IP to sslstrip:

    iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j ACCEPT

    And this IP could also be determined before starting sslstrip from the UI and therefore be anything else.

    Just a little brainstorm :)

    1) Regarding your first point (running sslstrip before IPtabel): don't want to see my own password in the log file :rolleyes:

    No, serious: didn't try that but makes sense. You probably do not even have to start the script first BUT you have to start it and it should not crash, otherwise you have to use ssh or the powercycle method to access the webinterface ...

    2) Don't want to correct you :) . You are correct of course. I’m connecting from a different IP as you noted but not from subnet.

    3) Don't know if I got your idea but then it should be

    iptables -t nat -A PREROUTING -s ! -p tcp --dport 80 -j ACCEPT

    Not testet, but as far as I remember the "!" add an exception

    So it would NAT everything but the management station. Maybe there is a way to get the IP of the management host (connection log: Pineapple authpriv.notice dropbear[10456]: Password auth succeeded for 'root' from x.x.x.x) an add an auto exception for this IP just in case the management connects not from

    Was also only a little brainstorming. Maybe it's getting a little too complicated now and you better add only the standard iptable rules as planed and everyone needs to change it, can change the config file where the iptable commands are defined

  3. Actually you can't customize the iptables rules from the UI. I prefer having a standard, simplified and working way for the moment from the UI for most of the users. I assumed advanced users can still go with ssh ;).

    I will maybe add a configuration section to modify the iptables command. I'm just wondering, in which case(s) you would like to customize the commands ?

    Two cases I can think about iptable customization would help:

    1) I sometimes use a topology where I connect the MK4 directly to the DSL Subnet but do not use a separate PC for connection sharing (ics). Therefor I hide (masquerade) normally the WLAN subnet behind the WAN Port IP address (DSL Range) with an iptable rule (safes me from creating back routes on DSL router :rolleyes: ). This is more to iptables directly and has more or less nothing to do with your sslstrip module I guess. But the whole thinks works perfect - also with sslstrip :)

    2) Correct me if I'm wrong but if I redirect the whole traffic to port 80 I will also not be able to connect to the MK4 webinterface anymore (with any topology). So that would be a second scenario where customization of iptable would help. Maybe it would be possible to enter just a source IP range from where redirection should take place?

    But you are absolutely right. It can also be done by ssh.

  4. From my understanding WM has already accounted for the iptables redirect locking out the web GUI.

    Sorry, didn't notice that. Just saw the print screens and the feature list saying: "- iptables rules automatically installed". There were nothing mentioned regarding „customizable“ iptable settings :unsure:

  5. cool, I would have a feature request :-)

    Would be great if iptable nat rules would be editable.

    Example do only NAT if source is in net x.x.x.x


    iptables -t nat -A PREROUTING -p tcp -s --destination-port 443 -j REDIRECT --to-ports 10000

    Helps to access the port 80 webinterface if only some subnets are redirected :-)

  • Create New...