#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

destroy table inet filter
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    iif lo accept comment "allow from loopback"
    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname "enp4s0" accept comment "allow from Ethernet LAN"
    iifname "docker0" accept comment "allow from Docker"
    iifname "ggsn0" udp dport 9201 accept comment "allow GPRS connections to Kannel"
    ip protocol icmp accept comment "allow ICMP"
    ip protocol igmp accept comment "Accept IGMP"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    ip protocol tcp tcp dport 8000-9000 accept comment "tcp/8000..9000"
    ip protocol udp udp dport 8000-9000 accept comment "udp/8000..9000"
    tcp dport 7337 accept comment "BitTorrent TCP"
    udp dport 7337 accept comment "BitTorrent UDP"
    tcp dport 8200 accept comment "miniDLNA"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter comment "count any other traffic"
  }
  chain forward {
    type filter hook forward priority filter
    policy accept
  }
  chain nat {
    type nat hook postrouting priority srcnat
    iifname "docker0" oifname "wlan0" masquerade
  }
}