allowed_services: - ssh - http - https nftables_tables: - name: firewall family: inet chains: - name: "input" base: type: "filter" hook: "input" priority: 0 policy: "drop" rules: - position: 1 statement: "iif lo accept" - position: 2 statement: 'ct state invalid log prefix "FW:DROP:" drop' comment: "Log and drop invalid packets." - position: 3 statement: "ct state established,related accept" - position: 10 statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept" - position: 11 statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept" - name: "forward" base: type: "filter" hook: "forward" priority: 0 policy: "accept" - name: "output" base: type: "filter" hook: "output" priority: 0 policy: "accept" rules: - position: 1 statement: "" # statement: "ip daddr 192.0.2.100 counter" - name: nat family: ip chains: - name: "prerouting" base: type: "nat" hook: "prerouting" priority: 0 rules: # - position: 1 # statement: "iif wlp1s0 tcp dport { 2222 } dnat 192.168.10.176:22" - position: 1 statement: "" - name: "postrouting" base: type: "nat" hook: "postrouting" priority: 100 rules: - position: 1 statement: "masquerade random,persistent"