debian 12 nft Qotom router firewall

nftables.conf

#!/usr/sbin/nft -f

flush ruleset

# Define NAT table for IPv4
table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100;
        policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        policy accept;
        # NAT for the WAN interface
        oifname "wan" masquerade
    }
}

table ip filter {
    chain input {
        type filter hook input priority 0;
        policy drop;  # Drop all incoming traffic by default

        # Allow established and related connections
        ct state established,related accept

        iifname "lo" accept
        iifname "brs0" accept
        iifname "brs0" tcp dport 53 accept
        iifname "brs0" udp dport 53 accept
        iifname "brs0" udp dport 67 accept  # From server to client
        iifname "brs0" udp dport 68 accept  # From client to server
        iifname "brs0" tcp dport 123 accept
        iifname "brs0" udp dport 123 accept
        ip protocol icmp accept                          # Allow ICMP (ping)
        tcp dport 6969 accept
        udp dport 6969 accept
    }

    chain forward {
        type filter hook forward priority 0;
        policy accept;  # Allow all forward traffic

        # Allow traffic from LAN (brs0) to WAN (wan)
        iifname "brs0" oifname "wan" accept

        # Allow traffic from WAN (wan) to LAN (brs0)
        iifname "wan" oifname "brs0" accept

        # Allow all internal LAN traffic
        iifname "brs0" oifname "brs0" accept
    }

    chain output {
        type filter hook output priority 10;
        policy accept;  # Allow all outgoing traffic
    }
}