#!/sbin/nft -f

# References
# https://wiki.gentoo.org/wiki/Nftables/Examples
# https://wiki.archlinux.org/title/Nftables
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf

flush ruleset

# TCP ports to accept (both IPv4 and IPv6)
#define ACCEPT_TCP_PORTS = {}

# UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = {}

table inet filter {
	# Default to drop all inbound traffic, unless they meet our criteria
	chain input {
		type filter hook input priority 0; policy drop;

		ct state invalid counter drop
		ct state {established,related} counter accept

		iif lo accept
		iif != lo ip daddr 127.0.0.1/8 counter drop
		iif != lo ip6 daddr ::1/128 counter drop

		# Accept user-defined ports
		#tcp dport $ACCEPT_TCP_PORTS counter accept
		#udp dport $ACCEPT_UDP_PORTS counter accept

		# Rate limit on SSH port
		#tcp dport ssh ct state new limit rate 6/minute accept

		# Mitigate ping floods
		ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
		ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop

		ip protocol icmp icmp type {
			echo-reply,
			echo-request,
			destination-unreachable,
			time-exceeded,
			parameter-problem,
			router-advertisement,
			router-solicitation
		} counter accept

		ip6 nexthdr icmpv6 icmpv6 type {
			echo-reply,
			echo-request,
			destination-unreachable,
			mld-listener-query,
			mld-listener-reduction,
			mld-listener-report,
			mld2-listener-report,
			packet-too-big,
			time-exceeded,
			parameter-problem
		} counter accept

		counter comment "Count dropped packets"
		#log prefix "[nftables] Inbound Denied: " flags all counter drop
	}

	# Route your own packets! I'm not your router.
	# Can be enabled while using VPN (for tunneling)
	chain forward {
		type filter hook forward priority 0; policy drop;
		counter comment "Count dropped packets"
		#log prefix "[nftables] Forward Denied: " flags all counter drop
	}

	# Accept all outbound traffic
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "Count accepted packets"
		#log prefix "[nftables] Outbound Accepted: " flags all counter accpet
	}
}