This is probably an easy question, but i cant suss out the syntax.
Here is a mock setup of the ip structure (not real, but gets the point across)
PRIVILEGED SOURCE NETWORKS (allow traffic coming from) - 10.1.1.0/24, 10.1.2.0/24
ALL OTHERS: 10.16.0.0/16
DESTINATION NETWORK (routed):
PRIVILEGED DESTINATIONS: 10.20.1.0/24, 10.20.1.0/24
ALL OTHERS ALLOWED: 10.20.0.0/16
if a packet arrives at the VYOS and the destination IP is PRIVILEGED DESTINATION (10.20.1.0 or 10.20.2.0) and the source IP is NOT from PRIVILEGED Source then deny, otherwise allow.
for all other packets destination that are NOT PRIVILEGED DESTINATION - do nothing (allow all).
Another Way to do it would be.
if a packet arrives at the VYOS and the destination IP is PRIVILEGED DESTINATION (10.20.1.0 or 10.20.2.0) and the source IP is from Privileged Source allow, otherwise deny.
I would prefer not to do NAT here if possible…
Pointers would be wonderful.