#!/usr/bin/nft -f

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

# references, some codes from:
# https://wiki.archlinux.org/title/Nftables
# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT

# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset

define pub_iface = "eth0"
define wg_iface = "wg0"

table inet my_table {

	chain my_input {
		type filter hook input priority filter
		policy drop

		ct state invalid drop comment "early drop of invalid connections"
		ct state {established, related} accept comment "allow tracked connections"
		iifname lo accept comment "allow from loopback"
		iifname $wg_iface accept comment "allow from wireguard"
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept

		tcp dport ssh accept
		#tcp dport qbt-nox accept
		tcp dport qbt accept
		udp dport qbt accept
		#tcp dport iperf3 accept
		udp dport wireguard accept
		tcp dport 60711 accept
		#tcp dport 59083 accept

		# insp to ia udp2raw wireguard, not sure if needed
		ip daddr 89.213.174.92 tcp dport 60711 drop

		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
		counter comment "count any other traffic"
	}

	chain my_forward {
		type filter hook forward priority filter
		policy drop
		# Drop everything forwarded to us. We do not forward. That is routers job.

		# needed for wireguard?
		#iifname $wg_iface oifname $pub_iface accept
		#iifname $pub_iface oifname $wg_iface accept
		iifname $wg_iface accept
		oifname $wg_iface accept
		#iifname pt0 accept
		#oifname pt0 accept
	}

	chain my_output {
		type filter hook output priority filter
		policy accept
		# Accept every outbound connection
	}
}

# needed to wireguard NAT masquerade VPN traffic
# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
table inet nat {
	# needed for phantun
	# note here is prerouting not postrouting, client side phantun config is postrouting instead
	#chain prerouting {
	#	type nat hook prerouting priority dstnat
	#	policy accept
	#	iif $pub_iface tcp dport 59083 dnat ip to 10.0.2.2
	#	iif $pub_iface tcp dport 59083 dnat ip6 to fdc9:281f:04d7:9eeb::2
	#}
	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
	chain postrouting {
		type nat hook postrouting priority 100
		policy accept
		oifname $pub_iface masquerade
	}
}