nftables.conf (router advertisments are not processed)

1. #!/usr/sbin/nft -f
2.  
3. flush ruleset
4.  
5. define allow_ip4s = {
6. 192.168.12.18
7. }
8.  
9. define allow_ip6s = {
10. 2001:db8:0::/48
11. }
12.  
13. table inet filter {
14. chain input {
15. type filter hook input priority 0; policy drop;
16. ct state established,related accept
17. ct state invalid drop
18. tcp dport 80 ip saddr $allow_ip4s accept
19. tcp dport 22 accept
20. }
21. chain forward {
22. type filter hook forward priority 0; policy drop;
23. }
24. chain output {
25. type filter hook output priority 0; policy accept;
26. }
27. }
28.  
29. table ip nat {
30. chain prerouting {
31. type nat hook prerouting priority -100; policy accept;
32. }
33.  
34. chain postrouting {
35. type nat hook postrouting priority 100; policy accept;
36. oifname "enp0s3" masquerade
37. }
38. }
39.  
40. table ip6 filter {
41. chain input {
42. type filter hook input priority 0; policy drop;
43. ct state established,related accept
44.  
45. iifname lo accept
46.  
47. icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query,nd-neighbor-advert,nd-router-advert} accept
48.  
49. tcp dport 80 ip6 saddr $allow_ip6s accept
50. }
51. }
52.