Using iptables to redirect all traffic to local webserver

Question

I'm trying to redirect all traffic on my wifi router to a local webserver using iptables. I'm not sure I have got the command right and also I want to exclude the router IP (172.16.0.1) from the rule to prevent myself from locking myself out from accessing the router.

What I've come up with so far:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 172.16.0.2:80
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 172.16.0.2:80

I tested above and it cause me not to be able to access the router again and the redirect is not working. What am I doing wrong, and how can exclude 172.16.0.1 from being redirected to 172.16.0.2?

Setup: 172.16.0.2 is the IP for the webserver 172.16.0.1 is my router (dd-wrt) no internet connection.

Example of what I'm trying to achieve:

• User connects to wifi hotspot, trying to access www.siteA.com, gets redirected to 172.16.0.2 (/index.html)
• User connects to wifi hotspot, trying to access www.siteB.com, gets redirected to 172.16.0.2 (/index.html)
• User tries to access 172.16.0.1 and no direction takes place

Answer 1

All you need is this single rule:

iptables -t nat -I PREROUTING --src 0/0 --dst 172.16.0.2 

This will insert into PREROUTING chain (?=-I) of the nat table (-t nat) the rule, that says:

Any incomming (-src 0/0) packets with destination address 172.16.0.2 (--dst 172.16.0.2).

Things to remember are: To redirect incoming traffic means inserting rules into PREROUTING chain of the nat table. Redirection is done only for specified interface. More in man iptables, search for REDIRECT keyword.

--append PREROUTING  --source 172.16.0.1 --jump RETURN

RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.