itsonlybarney/nftables.conf Secret

## nftables.conf
#!/usr/sbin/nft -f

flush ruleset

define DEVICE_PRIVATE = eth1
define DEVICE_WORLD = ppp0

define NETWORK_PRIVATE = 192.168.0.0/24

table ip nat {
	chain prerouting {
		type nat hook prerouting priority -100; policy accept;

		# allow incoming Wireguard
		iifname $DEVICE_WORLD udp dport 51821 dnat to 192.168.0.X:51821
	}

	chain postrouting {
		type nat hook postrouting priority 100; policy accept;

		# masquerade private IP addresses
		ip saddr $NETWORK_PRIVATE oifname $DEVICE_WORLD masquerade
	}
}

table ip filter {
	chain input_world {
		# accepting ping (icmp-echo-request) for diagnostic purposes.
		# However, it also lets probes discover this host is alive.
		# This sample accepts them within a certain rate limit:
		#
		# icmp type echo-request limit rate 5/second accept

		# allow SSH connections from some well-known internet host
		# ip saddr` 81.209.165.42 tcp dport ssh accept
	}

	chain input_private {
		# accepting ping (icmp-echo-request) for diagnostic purposes.
		icmp type echo-request limit rate 5/second accept

		allow SSH from the private network
		ip protocol . th dport vmap {
			tcp . 22    : accept,
			# tcp . 8022 : accept
		}
	}

	chain input {
		type filter hook input priority 0; policy drop;

		# Allow traffic from established and related packets, drop invalid
		ct state vmap {
			established : accept,
			related : accept,
			invalid : drop
		}

		# allow loopback traffic, anything else jump to chain for further evaluation`
		iifname vmap {
			lo : accept,
			$DEVICE_WORLD   : jump input_world,
			$DEVICE_PRIVATE : jump input_private
		}
		# the rest is dropped by the above policy
	}

	chain forward
		type filter hook forward priority filter; policy drop;

		# Allow traffic from established and related, drop invalid`
		ct state vmap {
			established : accept,
			related : accept,
			invalid : drop
		}

		iifname $DEVICE_PRIVATE accept
		oifname $DEVICE_WORLD tcp flags syn tcp option maxseg size set 1452
		# the rest is dropped by the above policy
	}
}
	#!/usr/sbin/nft -f

	flush ruleset

	define DEVICE_PRIVATE = eth1
	define DEVICE_WORLD = ppp0

	define NETWORK_PRIVATE = 192.168.0.0/24

	table ip nat {
	chain prerouting {
	type nat hook prerouting priority -100; policy accept;

	# allow incoming Wireguard
	iifname $DEVICE_WORLD udp dport 51821 dnat to 192.168.0.X:51821
	}

	chain postrouting {
	type nat hook postrouting priority 100; policy accept;

	# masquerade private IP addresses
	ip saddr $NETWORK_PRIVATE oifname $DEVICE_WORLD masquerade
	}
	}

	table ip filter {
	chain input_world {
	# accepting ping (icmp-echo-request) for diagnostic purposes.
	# However, it also lets probes discover this host is alive.
	# This sample accepts them within a certain rate limit:
	#
	# icmp type echo-request limit rate 5/second accept

	# allow SSH connections from some well-known internet host
	# ip saddr` 81.209.165.42 tcp dport ssh accept
	}

	chain input_private {
	# accepting ping (icmp-echo-request) for diagnostic purposes.
	icmp type echo-request limit rate 5/second accept

	allow SSH from the private network
	ip protocol . th dport vmap {
	tcp . 22 : accept,
	# tcp . 8022 : accept
	}
	}

	chain input {
	type filter hook input priority 0; policy drop;

	# Allow traffic from established and related packets, drop invalid
	ct state vmap {
	established : accept,
	related : accept,
	invalid : drop
	}

	# allow loopback traffic, anything else jump to chain for further evaluation`
	iifname vmap {
	lo : accept,
	$DEVICE_WORLD : jump input_world,
	$DEVICE_PRIVATE : jump input_private
	}
	# the rest is dropped by the above policy
	}

	chain forward
	type filter hook forward priority filter; policy drop;

	# Allow traffic from established and related, drop invalid`
	ct state vmap {
	established : accept,
	related : accept,
	invalid : drop
	}

	iifname $DEVICE_PRIVATE accept
	oifname $DEVICE_WORLD tcp flags syn tcp option maxseg size set 1452
	# the rest is dropped by the above policy
	}
	}