Perform transparent local firewall redirect with CLI

I’m working on a custom build of VyOS 1.3 that’s running a local web content inspection process. To make the content inspection happen transparently for the LAN clients (192.168.98.0/24 in this example), I need to perform an internal firewall redirect for ports 80 and 443.

Currently I can achieve this in a non-persistent way by entering these commands at the terminal:

sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 80 counter redirect to :6502
sudo nft add rule ip nat PREROUTING iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport 443 counter redirect to :6510

My question: is there a way to set up this transparent redirect using the VyOS config CLI? This would be ideal for two reasons:

  1. the actions would be visible in the usual show configuration command, and
  2. they’d persist across firewall config commits. (theoretically I could make it persist using commit hooks, but would rather not if it’s easily avoided)

Thanks!

Hi

I think that it’s possible to use a nat destination rule and redirect these ports , it may be more clear if you check our documentation there are some examples:

https://docs.vyos.io/en/equuleus/configuration/nat/index.html

Aha! Thanks for those tips @fernando . With some tinkering, I arrived at:

nat {
    destination {
        rule 5 {
            destination {
                address !192.168.98.0/24
                port 80
            }
            inbound-interface eth1
            protocol tcp
            source {
            }
            translation {
                address 192.168.98.1
                port 6502
            }
        }
        rule 6 {
            destination {
                address !192.168.98.0/24
                port 443
            }
            inbound-interface eth1
            protocol tcp
            translation {
                address 192.168.98.1
                port 6510
            }
        }
    }

Which produces the following nftables rules in table nat, chain PREROUTING:

iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport { 80 } counter packets 6 bytes 312 dnat to 192.168.98.1:6502 comment "DST-NAT-5"
iifname "eth1" ip daddr != 192.168.98.0/24 tcp dport { 443 } counter packets 21 bytes 1092 dnat to 192.168.98.1:6510 comment "DST-NAT-6"

This is very close to what I’m wanting above in my original post. The main difference is that
here we’re applying an action of
dnat to 192.168.98.1:<port>

rather than my original post where we simply
redirect to :<port>

Functionally, it’s looking like this dnat action mentioned above is doing what I want it to, however, the purist in me would like to know: Is it possible to invoke the “cleaner” redirect action from the VyOS CLI?

Did you try to just leave out the new destination IP address under ?

I did try to let the destination IP parameter out, and it throws an error on commit – apparently it’s required.

Would the maintainers consider extending the CLI functionality here to automatically use redirect if the destination IP is not specified? :thinking:

Would the maintainers consider extending the CLI functionality here to automatically use redirect if the destination IP is not specified?

I don’t think that’s quite the correct way to do this. What i’d like to see is an additional nat action called redirect at the same level as translate that if envoked would use the redirect action in nftables instead of the dnat or snat actions.
I’ve played around with customizing vyos before but can’t quite figure out where i would start if i’d want to build this myself. Can someone point me at the correct starting point? or maybe just do it since it could be relatively simple?