kapouer/nftables.conf

## nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		ct state established,related accept
		tcp dport { 22, 44 } ct state new accept comment "ssh on default and inhouse ports"
		ip daddr 211.98.15.42 tcp dport { 80, 443, 7700-7706 } accept comment "ws1.nsocket.com"
		ip daddr 211.98.15.49 tcp dport { 80, 443 } accept comment "site1"
		ip daddr 211.98.24.24 tcp dport { 80, 443 } accept comment "site2"
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "IPv6 connectivity"
		ip saddr 102.104.95.87 ip daddr 111.88.77.66 tcp dport 5432 accept comment "postgresql from barman@example.com"
		ct status dnat accept comment "allow prerouted packets"
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table inet nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port"
		ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port"
		ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port"
    ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port"
	}
	chain output {
		type nat hook output priority filter; policy accept;
		ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port"
  	ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port"
		ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port"
    ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port"
	}
	chain fanout {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 211.98.15.42 tcp dport 443 dnat ip to 211.98.15.42:jhash ip saddr mod 6 map { 0 : 7700, 1 : 7701, 2 : 7702, 3 : 7703, 4 : 7704, 5 : 7705 } comment "ws https"
		ip daddr 211.98.15.42 tcp dport 80 dnat ip to 211.98.15.42:jhash ip saddr mod 1 map { 0 : 7706 } comment "ws http"
	}
}
	#!/usr/sbin/nft -f

	flush ruleset

	table inet filter {
	chain input {
	type filter hook input priority filter; policy drop;
	iif "lo" accept
	ct state established,related accept
	tcp dport { 22, 44 } ct state new accept comment "ssh on default and inhouse ports"
	ip daddr 211.98.15.42 tcp dport { 80, 443, 7700-7706 } accept comment "ws1.nsocket.com"
	ip daddr 211.98.15.49 tcp dport { 80, 443 } accept comment "site1"
	ip daddr 211.98.24.24 tcp dport { 80, 443 } accept comment "site2"
	ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "IPv6 connectivity"
	ip saddr 102.104.95.87 ip daddr 111.88.77.66 tcp dport 5432 accept comment "postgresql from barman@example.com"
	ct status dnat accept comment "allow prerouted packets"
	}

	chain forward {
	type filter hook forward priority filter; policy accept;
	}

	chain output {
	type filter hook output priority filter; policy accept;
	}
	}
	table inet nat {
	chain prerouting {
	type nat hook prerouting priority dstnat; policy accept;
	ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port"
	ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port"
	ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port"
	ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port"
	}
	chain output {
	type nat hook output priority filter; policy accept;
	ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port"
	ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port"
	ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port"
	ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port"
	}
	chain fanout {
	type nat hook prerouting priority dstnat; policy accept;
	ip daddr 211.98.15.42 tcp dport 443 dnat ip to 211.98.15.42:jhash ip saddr mod 6 map { 0 : 7700, 1 : 7701, 2 : 7702, 3 : 7703, 4 : 7704, 5 : 7705 } comment "ws https"
	ip daddr 211.98.15.42 tcp dport 80 dnat ip to 211.98.15.42:jhash ip saddr mod 1 map { 0 : 7706 } comment "ws http"
	}
	}