nftables rules

1. #!/usr/sbin/nft -f
2.  
3. flush ruleset
4.  
5. table inet filter {
6. chain input {
7. type filter hook input priority 0;
8.  
9. # established/related connections
10. ct state established,related accept
11.  
12. # loopback interface
13. iifname lo accept
14.  
15. # open tcp/udp port 53 for dns
16. tcp dport {53} accept
17. udp dport {53} accept
18.  
19. # icmp
20. ip protocol icmp accept
21. ip6 nexthdr icmpv6 accept
22. }
23. chain forward {
24. type filter hook forward priority 0;
25.  
26. # established/related connections
27. ct state established,related accept
28.  
29. # icmp
30. ip protocol icmp accept
31. ip6 nexthdr icmpv6 accept
32. }
33. chain output {
34. type filter hook output priority 0;
35. }
36. }
37.  
38. table ip nat {
39. chain prerouting {
40. type nat hook prerouting priority 0; policy accept;
41. }
42.  
43. chain postrouting {
44. type nat hook postrouting priority 100; policy accept;
45. oifname "eth_wan" ip saddr 10.0.0.0 masquerade
46. }
47. }