#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # allow established/related ct state established,related accept # allow loopback iif lo accept # allow icmp ip protocol icmp accept ip6 nexthdr ipv6-icmp accept {% if dhcp_enable %} # allow dhcp iif {{ lan_interface }} udp dport 67 accept {% endif %} # allow incoming firewall rules {% for rule in incoming_firewall_rules %} # {{ rule.name }} iif {{ rule.interface | default(lan_interface) }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept {% endfor %} } chain forward { type filter hook forward priority 0; policy drop; # allow established/related ct state established,related accept {% if wireguard_enabled %} # allow wireguard traffic iifname "wt*" accept oifname "wt*" accept # allow wireguard to internet (exit node) iifname "wt*" oif {{ wan_interface }} accept {% endif %} # allow forwarding from lan to anywhere iif {{ lan_interface }} oif {{ wan_interface }} accept {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} oif {{ lan_interface }} ip daddr {{ forward.dst }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} accept {% endfor %} } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; # nat masquerade from any to wan oif {{ wan_interface }} masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; {% for forward in nat_port_forwards %} # {{ forward.name }} iif {{ wan_interface }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} dnat to {{ forward.dst }}:{{ forward.port }} {% endfor %} } }