From ad9f95044dea942466edb5826efd234d1deafa05 Mon Sep 17 00:00:00 2001 From: Ivan Davydov Date: Thu, 12 Jun 2025 13:25:12 +0300 Subject: [PATCH] init.d: openwrt-minimal: redirect https connections to another port --- init.d/openwrt-minimal/tpws/etc/firewall.user | 3 ++- .../openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft | 12 ++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/init.d/openwrt-minimal/tpws/etc/firewall.user b/init.d/openwrt-minimal/tpws/etc/firewall.user index 2681cf5..f538dcd 100644 --- a/init.d/openwrt-minimal/tpws/etc/firewall.user +++ b/init.d/openwrt-minimal/tpws/etc/firewall.user @@ -1,5 +1,6 @@ DISABLE_IPV6=0 TP_PORT=900 +TP_PORT_SSL=901 TP_USER=daemon EXCLUDE4="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 127.0.0.0/8" @@ -25,7 +26,7 @@ redirect_port() redirect() { redirect_port 80 $TP_PORT - redirect_port 443 $TP_PORT + redirect_port 443 $TP_PORT_SSL } for IPTABLES in $IPTS; do diff --git a/init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft b/init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft index 819ca4f..7cfb51c 100644 --- a/init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft +++ b/init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft @@ -8,11 +8,15 @@ set tpws_exclude6 { } chain tpws_pre { type nat hook prerouting priority dstnat; policy accept; - tcp dport {80,443} ip daddr != @tpws_exclude4 redirect to :900 - tcp dport {80,443} ip6 daddr != @tpws_exclude6 redirect to :900 + tcp dport 80 ip daddr != @tpws_exclude4 redirect to :900 + tcp dport 443 ip daddr != @tpws_exclude4 redirect to :901 + tcp dport 80 ip6 daddr != @tpws_exclude4 redirect to :900 + tcp dport 443 ip6 daddr != @tpws_exclude6 redirect to :901 } chain tpws_out { type nat hook output priority -100; policy accept; - tcp dport {80,443} skuid != daemon ip daddr != @tpws_exclude4 redirect to :900 - tcp dport {80,443} skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :900 + tcp dport 80 skuid != daemon ip daddr != @tpws_exclude4 redirect to :900 + tcp dport 443 skuid != daemon ip daddr != @tpws_exclude4 redirect to :901 + tcp dport 80 skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :900 + tcp dport 443 skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :901 }