Port forwarding for both internal and external clients

port-forward.nft

#!/sbin/nft -f

flush ruleset

# The internet interface.
define wan_if = "ppp0"

# The local interfaces.
define lan_if = { "eth0" }

# The local address.
define lan_ip = 192.168.1.1

# Forwarded port.
define fwd_dnat = 2000
define fwd_ip = 192.168.1.2
define fwd_port = 8000

table ip nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iifname $wan_if tcp dport $fwd_dnat counter dnat to $fwd_ip:$fwd_port comment "external forwarding"
		iifname $lan_if tcp dport $fwd_dnat fib daddr . iif type { local, broadcast, multicast } counter dnat to $fwd_ip:$fwd_port comment "internal forwarding"
		counter comment "accepted"
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip daddr $fwd_ip tcp dport $fwd_port counter masquerade comment "port forward masquerading"
		oifname $wan_if counter masquerade comment "internet masquerading"
	}
}

table ip firewall {
	chain incoming {
		type filter hook input priority filter; policy accept;
		ct state { invalid } counter drop comment "invalid state"
		tcp dport 0 counter drop comment "invalid port"
		iif != "lo" ip daddr 127.0.0.1/8 counter drop comment "locally addressed"
		iif "lo" counter accept comment "internal"
		iifname $lan_if counter accept comment "local"
		ct state { established, related } counter accept comment "established"
		ip protocol icmp counter accept comment "icmp"
		counter reject comment "unknown"
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname $lan_if counter accept comment "local"
		iifname $wan_if ct state { established, related } counter accept comment "internet"
		ct status dnat counter accept comment "redirected"
		counter drop comment "dropped"
	}

	chain outgoing {
		type filter hook output priority filter; policy accept;
		counter comment "accepted"
	}
}