Hi All,
We are trying to set up an open source replacement. We mean to make it inline so as not to make too many changes to our network.
So i've used this as a rough guide, and adapted it to use nftable for the packet mangling:
http://www.theopensourcerer.com/2014...ubuntu-server/
It does work, however the result is that all web traffic is getting NAT'd to the filter's bridge IP address. On the other hand, our old web filtering box doesn't seem to do any NAT magic, it simply inspects the traffic and, if allowed, passes the packet along unmangled, i.e. source IP intact. Dunno how they did it, it seems technically impossible to forward the packet to the web filtering process w/o mangling it first.
Any ideas on how to achieve this? This is the nftables script i used on the bridge interface:
BRIDGE_MAC=12:34:56:78:90:ab
nft add table bridge table1
nft add chain bridge table1 chain1 { type filter hook prerouting priority 0\; }
nft add rule bridge table1 chain1 tcp dport 80 meta pkttype set host ether daddr set $BRIDGE_MAC counter
nft add rule bridge table11 chain1 tcp dport 443 meta pkttype set host ether daddr set $BRIDGE_MAC counter
nft add table inet table2
nft add chain inet table2 chain2 { type nat hook prerouting priority 0\; }
nft add rule inet table2 chain2 tcp dport 80 counter redirect to 8080
nft add rule inet table2 chain2 tcp dport 443 counter redirect to 8443
Thanks
Bookmarks