I’m working on a custom build of VyOS 1.3 that’s running a local web content inspection process. To make the content inspection happen transparently for the LAN clients (192.168.98.0/24 in this example), I need to perform an internal firewall redirect for ports 80 and 443.
Currently I can achieve this in a non-persistent way by entering these commands at the terminal:
sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 80 counter redirect to :6502 sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 443 counter redirect to :6510
My question: is there a way to set up this transparent redirect using the VyOS config CLI? This would be ideal for two reasons:
- the actions would be visible in the usual
show configurationcommand, and
- they’d persist across firewall config commits. (theoretically I could make it persist using commit hooks, but would rather not if it’s easily avoided)