/system/bin/iptables /system/bin/iptables -w -t nat --new handysoftapd /system/bin/iptables /system/bin/iptables -w -t nat -A PREROUTING -j handysoftapd # allow DHCP /system/bin/iptables /system/bin/iptables -w -t nat -A handysoftapd -p udp --dport 67 -j DNAT --to 0.0.0.0:67 # allow DNS /system/bin/iptables /system/bin/iptables -w -t nat -A handysoftapd -p udp --dport 53 -j DNAT --to 127.0.0.1:53 # disallow other UDP packet(special handle for QUIC/VOIP protocol) # drop the packet by redirect the packet to a non-exist port /system/bin/iptables /system/bin/iptables -w -t nat -A handysoftapd -p udp -j DNAT --to 0.0.0.1:1111 # redirect TCP to our web server to show captive login page /system/bin/iptables /system/bin/iptables -w -t nat -A handysoftapd -p tcp -j DNAT --to 127.0.0.1:8090 # enable routing /system/bin/sysctl /system/bin/sysctl -w net.ipv4.conf.all.route_localnet=1