This is the configuration of my home router firewall /etc/nftables.conf
-
WAN_GROUP interfaces are:
- 1Gb Ethernet connected to the NTD
- Backup 4G connection via a mobile dongle
-
LAN_GROUP interfaces are:
- 2.5Gb Ethernet port connected to the LAN
- Wireguard interface
Summary of the rules:
- Allow incoming non-established connections on 51820 UDP for wireguard and 80/443 TCP http/s.
- Forward established traffic from WAN if destined for LAN.
- Traffic destined for the WAN is masqueraded to facilitate source NATting.
- ICMP is allowed from the WAN.
- All else is dropped.
flush ruleset
define WAN_GROUP = 2
define LAN_GROUP = 1
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifgroup 1 accept comment "anything from the internal network should be accepted"
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
iifgroup 2 udp dport 51820 accept comment "allow incoming wireguard connections"
iifgroup 2 tcp dport { 80, 443 } accept comment "allow http(s) connections"
}
chain output {
type filter hook output priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy drop;
iifgroup 1 accept comment "forward anything from the LAN"
iifgroup 2 oifgroup 1 ct state { established, related } accept comment "forward only established traffic from the WAN"
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 masquerade
}
}