I’m working on a custom build of VyOS 1.3 that’s running a local web content inspection process. To make the content inspection happen transparently for the LAN clients (192.168.98.0/24 in this example), I need to perform an internal firewall redirect for ports 80 and 443.
Currently I can achieve this in a non-persistent way by entering these commands at the terminal:
sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 80 counter redirect to :6502
sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 443 counter redirect to :6510
My question: is there a way to set up this transparent redirect using the VyOS config CLI? This would be ideal for two reasons:
the actions would be visible in the usual show configuration command, and
they’d persist across firewall config commits. (theoretically I could make it persist using commit hooks, but would rather not if it’s easily avoided)
I think that it’s possible to use a nat destination rule and redirect these ports , it may be more clear if you check our documentation there are some examples:
This is very close to what I’m wanting above in my original post. The main difference is that
here we’re applying an action of dnat to 192.168.98.1:<port>
rather than my original post where we simply redirect to :<port>
Functionally, it’s looking like this dnat action mentioned above is doing what I want it to, however, the purist in me would like to know: Is it possible to invoke the “cleaner” redirect action from the VyOS CLI?
Would the maintainers consider extending the CLI functionality here to automatically use redirect if the destination IP is not specified?
I don’t think that’s quite the correct way to do this. What i’d like to see is an additional nat action called redirect at the same level as translate that if envoked would use the redirect action in nftables instead of the dnat or snat actions.
I’ve played around with customizing vyos before but can’t quite figure out where i would start if i’d want to build this myself. Can someone point me at the correct starting point? or maybe just do it since it could be relatively simple?