NFTables Configuration

Home router firewall

flush ruleset

define WAN_GROUP = 2
define LAN_GROUP = 1

table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    iifgroup $LAN_GROUP accept comment "anything from the internal network should be accepted"

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"

    iifname lo accept comment "allow from loopback"

    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"

    iifgroup $WAN_GROUP udp dport 4242 accept comment "allow incoming nebula connections"
    iifgroup $WAN_GROUP tcp dport {80,443} accept comment "allow http(s) connections"
  }

  chain output {
    type filter hook output priority filter
    policy accept
  }
  
  chain forward {
    type filter hook forward priority filter
    policy drop
    iifgroup $LAN_GROUP accept comment "forward anything from the LAN"
    iifgroup $WAN_GROUP oifgroup $LAN_GROUP ct state {established, related} accept comment "forward only established traffic from the WAN"
  }
}

table inet nat {
  chain prerouting {
    type nat hook prerouting priority filter
    policy accept
  }

  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept
    oifgroup $WAN_GROUP masquerade
  }
}