#!/usr/sbin/nft -f define WAN_IF = enp1s0 define WAN_IP = 192.168.122.254 define WAN_NET = 192.168.122.0/24 define LAN_IF = enp10s0 define LAN_IP = 10.0.100.254 define LAN_NET = 10.0.100.0/24 flush ruleset table ip6 filter { chain INPUT { type filter hook input priority filter; policy drop; } chain OUTPUT { type filter hook output priority filter; policy drop; } chain FORWARD { type filter hook forward priority filter; policy drop; } } table ip filter { chain input_LAN { ct state new tcp dport ssh counter accept comment "Accept SSH (port 22)" } chain input { type filter hook input priority filter; policy drop; iif lo accept comment "Accept any localhost traffic" ct state invalid drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" meta l4proto icmp counter accept comment "Accept ICMP" ip protocol igmp counter accept comment "Accept IGMP" ip saddr { $LAN_NET, $WAN_NET } jump input_LAN comment "Connections from private IP address ranges" } chain forward { # Drop everything, we DON'T forward, we are NOT a router type filter hook forward priority filter; policy drop; ct state invalid drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" iif $LAN_IF oif $WAN_IF ip saddr $LAN_NET ct state new tcp dport { http, https } counter accept comment "Accept HTTP (ports 80, 443)" iif $LAN_IF oif $WAN_IF ip saddr $LAN_NET ct state new udp dport { 53 } counter accept comment "Accept UDP DNS" iif $LAN_IF oif $WAN_IF ip saddr $LAN_NET ct state new tcp dport { 53 } counter accept comment "Accept TCP DNS" } chain output { # Accept every outbound connection type filter hook output priority filter; policy accept; } } table nat { chain masquerading { type nat hook postrouting priority srcnat; oifname $WAN_IF masquerade; } }