Migrate tor related firewall rules to fw4

I have a subnet (and vlan) where everything is routed to the internet via tor.
Until now I needed the following 3 additional iptables rules in /etc/firewall.user:

# DNS requests on port 53 are redirected to port 9053
iptables -t nat -A prerouting_tor_rule -i br-lan.4 -p udp --dport 53 -j REDIRECT --to-ports 9053
# All TCP requests are redirected to port 9040
iptables -t nat -A prerouting_tor_rule -i br-lan.4 -p tcp --syn -j REDIRECT --to-ports 9040
# when using tor on this box to resolve DNS requests, .onion addresses are translated to this range
iptables -t nat -A prerouting_tor_rule -d -p tcp --syn -j REDIRECT --to-ports 9040

Now iptables has been replaced by nftables and I'm thinking about how to bring these 3 rules into the fw4 world.
Instead of using user-defined nftable-commands again, I would prefer a direct rule within /etc/config/firewall.

Anyone have any ideas?
Thanks a lot already!

I tried to transfer the first rule to fw4 - would this approach be correct?:

config redirect
        option target 'DNAT'
        option name 'tor-redirect-53-to-9053'
        list proto 'udp'
        option src 'tor'
        option src_dport '53'
        option dest_ip ''
        option dest_port '9053'

Omit the option dest_ip to turn the dnat into a redirect rule.

1 Like