saudiqbal · May 26, 2024 16:39
diff --git a/nftables.conf b/nftables.conf
 #!/usr/sbin/nft -f

 flush ruleset

 # ----- IPv4 -----
 table ip filter {
 	chain input {
 		type filter hook input priority 0;
 		# accept traffic originated from us
 		ct state {established, related} accept
 		# loopback
 		iifname lo accept

 		# accept all icmp
 		meta l4proto icmp accept
 		meta l4proto igmp accept
 		#ip protocol icmp accept

 		# allow incoming broadcast and multicast (e.g. NTP)
 		pkttype { broadcast,multicast} accept

 		tcp dport { 22, 443 } accept
 		udp dport { 443 } accept

 		meta l4proto udp reject
 		meta l4proto tcp reject
 		reject
 	}

 	chain forward {
 		type filter hook forward priority 0;
 		iifname "ens18" oifname "vpns0" accept;
 		iifname "vpns0" oifname "ens18" accept;
 	}

 	chain output {
 		type filter hook output priority 0;
 	}
 }


 # ----- IPv6 -----
 table ip6 filter {
 	chain input {
 		type filter hook input priority 0;

 		# accept traffic originated from us
 		ct state {established, related} accept

 		# loopback
 		iifname lo accept

 		# accept all icmp
 		meta l4proto ipv6-icmp accept
 		#ip6 ecn not-ect accept

 		# accept DHCPv6
 		udp dport 546 ip6 saddr { fc00::/7, fe80::/10 } accept
 		#ip6 saddr fe80::/10 accept
 		#ip6 saddr fc00::/7 accept

 		# allow incoming broadcast and multicast (e.g. NTP)
 		pkttype { broadcast,multicast} accept

 		tcp dport { 22, 443 } accept
 		udp dport { 443 } accept

 		meta l4proto udp reject
 		meta l4proto tcp reject
 		reject
 	}

 	chain forward {
 		type filter hook forward priority 0;
 		iifname "ens18" oifname "vpns0" accept;
 		iifname "vpns0" oifname "ens18" accept;
 	}

 	chain output {
 		type filter hook output priority 0;
 	}
 }

 # ----- IPv4 NAT -----
 table ip nat {
 	chain PREROUTING {
 		type nat hook prerouting priority filter; policy accept;
 	}

 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat; policy accept;
 		oifname "ens18" masquerade
 	}
 }

 # ----- IPv6 NAT -----
 table ip6 nat {
 	chain PREROUTING {
 		type nat hook prerouting priority filter; policy accept;
 	}
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat; policy accept;
 		oifname "ens18" masquerade
 	}
 }
	#!/usr/sbin/nft -f

	flush ruleset

	# ----- IPv4 -----
	table ip filter {
	chain input {
	type filter hook input priority 0;
	# accept traffic originated from us
	ct state {established, related} accept
	# loopback
	iifname lo accept

	# accept all icmp
	meta l4proto icmp accept
	meta l4proto igmp accept
	#ip protocol icmp accept

	# allow incoming broadcast and multicast (e.g. NTP)
	pkttype { broadcast,multicast} accept

	tcp dport { 22, 443 } accept
	udp dport { 443 } accept

	meta l4proto udp reject
	meta l4proto tcp reject
	reject
	}

	chain forward {
	type filter hook forward priority 0;
	iifname "ens18" oifname "vpns0" accept;
	iifname "vpns0" oifname "ens18" accept;
	}

	chain output {
	type filter hook output priority 0;
	}
	}


	# ----- IPv6 -----
	table ip6 filter {
	chain input {
	type filter hook input priority 0;

	# accept traffic originated from us
	ct state {established, related} accept

	# loopback
	iifname lo accept

	# accept all icmp
	meta l4proto ipv6-icmp accept
	#ip6 ecn not-ect accept

	# accept DHCPv6
	udp dport 546 ip6 saddr { fc00::/7, fe80::/10 } accept
	#ip6 saddr fe80::/10 accept
	#ip6 saddr fc00::/7 accept

	# allow incoming broadcast and multicast (e.g. NTP)
	pkttype { broadcast,multicast} accept

	tcp dport { 22, 443 } accept
	udp dport { 443 } accept

	meta l4proto udp reject
	meta l4proto tcp reject
	reject
	}

	chain forward {
	type filter hook forward priority 0;
	iifname "ens18" oifname "vpns0" accept;
	iifname "vpns0" oifname "ens18" accept;
	}

	chain output {
	type filter hook output priority 0;
	}
	}

	# ----- IPv4 NAT -----
	table ip nat {
	chain PREROUTING {
	type nat hook prerouting priority filter; policy accept;
	}

	chain POSTROUTING {
	type nat hook postrouting priority srcnat; policy accept;
	oifname "ens18" masquerade
	}
	}

	# ----- IPv6 NAT -----
	table ip6 nat {
	chain PREROUTING {
	type nat hook prerouting priority filter; policy accept;
	}
	chain POSTROUTING {
	type nat hook postrouting priority srcnat; policy accept;
	oifname "ens18" masquerade
	}
	}