How to allow google-analytics via iptables when internet is blocked for other traffic

Question

I am running the following script on a wifi gateway. The WAN side of the gateway has ppp0 interface while LAN side is on wlan0.

1. No LAN user should be allowed to browser internet
2. Some services on gateway needs access to internet and it should be allowed
3. LAN users should be allowed to access content from gateways LAN interface (traffic from 80 and 90 port - some local content not internet) On the same local content google-analytics is installed and it should be updated to google-analytics.com servers. My iptables firewall is as follows but I'm constantly seeing issues when reaching google-analytics servers. Any help is appreciated.

WAN_INTERFACE="ppp0" 
LAN_INTERFACE="wlan0" 
LAN_NETWORK="192.168.184.0/24"

WAN_IP=ifconfig ppp0 | grep addr | cut -d':' -f2 | cut -d' ' -f1

iptables -F iptables -F -t nat

iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP

Allow only packets destined to port 80 and 443 out of gateway for content on Gateway itself

iptables -A OUTPUT -o $WAN_INTERFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN_INTERFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -i $WAN_INTERFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Accept packets on LAN network for port 80,90

iptables -A INPUT -i $LAN_INTERFACE -p tcp -d 192.168.184.1 --dport 80 -s $LAN_NETWORK -j ACCEPT 
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s 192.168.184.1 -j ACCEPT
iptables -A INPUT -i $LAN_INTERFACE -p tcp -d 192.168.184.1 --dport 90 -s $LAN_NETWORK -j ACCEPT 
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s 192.168.184.1 -j ACCEPT

Accept loop back

iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT

Allow out going ping requests

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow out going DNS requests

iptables -A OUTPUT -p udp -o $WAN_INTERFACE --dport 53 -j ACCEPT 
iptables -A INPUT -p udp -i $WAN_INTERFACE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o $WAN_INTERFACE --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i $WAN_INTERFACE --sport 53 -j ACCEPT

Allow google-analytics traffic to go out and come in

iptables -A INPUT -s www.google-analytics.com -p tcp --sport 80 -j ACCEPT 
iptables -A INPUT -s ssl.google-analytics.com -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -d google-analytics.com -j ACCEPT 
iptables -A OUTPUT -d ssl.google-analytics.com -j ACCEPT
iptables -A FORWARD -d google-analytics.com -s 192.168.184.0/24 -j ACCEPT 
iptables -A FORWARD -d ssl.google-analytics.com -s 192.168.184.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN_INTERFACE -p tcp -d google-analytics.com -j SNAT --to-source $WAN_IP 
iptables -t nat -A POSTROUTING -o $WAN_INTERFACE -p tcp -d ssl.google-analytics.com -j SNAT --to-source $WAN_IP
iptables -A INPUT -s google-analytics.com -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -s ssl.google-analytics.com -m state --state RELATED,ESTABLISHED -j ACCEPT

Answer 1

Add a rule to allow your gateway to access from the internet using INPUT and OUTPUT chain

Then add a rule to redirect HTTP or HTTPS trafic to your web server with --sport parameter