itsoli/nftables.conf

## nftables.conf
#!/usr/bin/nft -f

define ext_if = ens3
define ext_ip = a.b.c.d
define vpn_if = ppp0
define vpn_ip = x.y.z.w/s

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # allow gre (before invalid drop for vpn)
    ip protocol gre accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow tcp
    tcp dport { http, https } accept
    tcp dport pptp accept
    tcp dport ssh accept

    # everything else
    reject with icmp type port-unreachable
    #drop
  }
  chain output {
    type filter hook output priority 0;
  }
  chain forward {
    type filter hook forward priority 0;

    # allow forwarding for vpn
    iifname $ext_if oifname $vpn_if ip daddr $vpn_ip ct state { related, established } accept
    iifname $vpn_if oifname $ext_if ip saddr $vpn_ip accept

    drop
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority -150;
  }
  chain postrouting {
    type nat hook postrouting priority -150;

    # enable nat for vpn over ext
    ip saddr $vpn_ip oifname $ext_if masquerade
  }
}
	#!/usr/bin/nft -f

	define ext_if = ens3
	define ext_ip = a.b.c.d
	define vpn_if = ppp0
	define vpn_ip = x.y.z.w/s

	table inet filter {
	chain input {
	type filter hook input priority 0;

	# allow established/related connections
	ct state {established, related} accept

	# allow gre (before invalid drop for vpn)
	ip protocol gre accept

	# early drop of invalid connections
	ct state invalid drop

	# allow from loopback
	iifname lo accept

	# allow icmp
	ip protocol icmp accept
	ip6 nexthdr icmpv6 accept

	# allow tcp
	tcp dport { http, https } accept
	tcp dport pptp accept
	tcp dport ssh accept

	# everything else
	reject with icmp type port-unreachable
	#drop
	}
	chain output {
	type filter hook output priority 0;
	}
	chain forward {
	type filter hook forward priority 0;

	# allow forwarding for vpn
	iifname $ext_if oifname $vpn_if ip daddr $vpn_ip ct state { related, established } accept
	iifname $vpn_if oifname $ext_if ip saddr $vpn_ip accept

	drop
	}
	}

	table ip nat {
	chain prerouting {
	type nat hook prerouting priority -150;
	}
	chain postrouting {
	type nat hook postrouting priority -150;

	# enable nat for vpn over ext
	ip saddr $vpn_ip oifname $ext_if masquerade
	}
	}