#!/usr/sbin/nft -f

flush ruleset

table inet firewall {
    chain inbound {
    	# By default, drop all traffic unless it meets a filter
    	# criteria specified by the rules that follow below.
        type filter hook input priority 0;
        policy drop;

        # Allow traffic from established and related packets.
        ct state established,related accept

        # Drop invalid packets.
        ct state invalid drop

        # Allow local connections.
        iifname lo accept
        iifname brlan accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 5/second accept
        ip protocol igmp limit rate 5/second accept
        #ip6 protocol ipv6-icmp icmpv6-type redirect drop
        #ip6 protocol ipv6-icmp icmpv6-type 139 drop
        ip6 nexthdr ipv6-icmp limit rate 5/second accept

        # Allow some ports
        tcp dport ssh accept comment "ssh"
        tcp dport domain accept comment "dns (tcp)"
        udp dport domain accept comment "dns (udp)"
        tcp dport http accept comment "http"
        tcp dport https accept comment "https"
        tcp dport 22000 accept comment "syncthing"
        udp dport 21027 accept comment "syncthing"
        tcp dport 5201 accept comment "iperf3 (tcp)"
        udp dport 5201 accept comment "iperf3 (udp)"
    }

    chain forward {
        # By default, drop all traffic unless it meets a filter
        type filter hook forward priority 0;
        policy drop;

        # Allow traffic from established and related packets.
        ct state established,related accept

        # Drop invalid packets.
        ct state invalid drop

        # local clients can do whatever
        iifname brlan accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 5/second accept
        ip6 nexthdr ipv6-icmp limit rate 5/second accept
        ip protocol igmp limit rate 5/second accept

        #make public ips world accessible 
        ip daddr 195.39.246.32/28 accept
    }

    chain outbound {
        # Allow all outbound traffic
        type filter hook output priority 0
        policy accept
    }

}

table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100
        policy accept
    }

    chain postrouting {
        type nat hook postrouting priority 0
        policy accept
        oifname enp2s0 masquerade
    }
}
include "/etc/nftables.d/*.nft"