Disabling NAT prerouting REDIRECT for 1 IP


I currently have a Rpi 3b+ (Raspbian lite) with a Tomcat 9 server that has a captive portal/Java servlet to authenticate users. When the users are authenticated they should gain access to the internet/get forwarded to eth0. Users connect to my PI router via wlan0 and then the traffic gets forwarded to eth0.

My idea is roughly:

Redirecting port 80 and 443 traffic to my captive portal Tomcat server with NAT PREROUTING. So that when someone that hasn’t been authenticated yet will get redirected to my captive portal.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <Tomcat>:80 iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <Tomcat>:443 

And then to block all traffic with FILTER INPUT. And add exceptions for my own Tomcat server and SSH.

iptables --append INPUT --protocol all --jump DROP iptables --append INPUT --protocol all --dst <tomcat> --dport 80 --jump ACCEPT iptables --append INPUT --protocol all --dst <tomcat> --dport 443 --jump ACCEPT iptables --append INPUT --protocol all --dst <tomcat> --dport 22 --jump ACCEPT 

After users are authenticated I will simply “whitelist” their ip’s:

iptables --append INPUT --protocol all --src <USER_IP> --jump ACCEPT 

But 1 thing I can’t figure out is how to disable the NAT PREROUTING redirect for 1 IP like I did with FILTER INPUT.

So I have 2 questions: How do I “whitelist” 1 IP in NAT PREROUTING? Is this concept IPtable logical/secure and does this concept work??