#!/usr/bin/nft -f

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

# some codes from https://wiki.archlinux.org/title/Nftables

# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset

table inet my_table {

	chain my_input {
		type filter hook input priority filter
		policy drop

		ct state invalid drop comment "early drop of invalid connections"
		ct state {established, related} accept comment "allow tracked connections"
		iifname lo accept comment "allow from loopback"
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept

		#tcp dport ssh accept
		#tcp dport qbt-nox accept
		#tcp dport searx accept
		tcp dport qrcp accept
		udp dport mdns accept
		tcp dport qbt accept
		udp dport qbt accept
		tcp dport monerod-p2p accept
		#tcp dport iperf3 accept
		#udp dport wireguard accept

		# insp to ia udp2raw wireguard
		#ip saddr 89.213.174.92 tcp sport 60711 drop

		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
		counter comment "count any other traffic"
	}

	chain my_forward {
		type filter hook forward priority filter
		policy drop
		# Drop everything forwarded to us. We do not forward. That is routers job.
		# next two lines are needed for phantun
		iifname pt0 accept
		oifname pt0 accept
	}

	chain my_output {
		type filter hook output priority filter
		policy accept
		# Accept every outbound connection
	}
}

table inet nat {
	# needed for phantun https://github.com/dndx/phantun
	# note here is postrouting not prerouting, server side phantun config is prerouting instead
	chain postrouting {
		type nat hook postrouting priority srcnat
		policy accept
		iifname pt0 oif enp3s0 masquerade
		iifname pt0 oif wlp2s0 masquerade
	}
}