#!/usr/sbin/nft -f

flush ruleset

define svc_ssh = 1022
define net_trusted = { 10.1.2.0/24 }
define hosts_ntp = { 213.222.217.10, 178.63.9.212, 148.251.54.81, 212.51.144.46 }  # europe.pool.ntp.org
define hosts_dns = { 1.1.1.1, 8.8.8.8 }
define hosts_repo = { 199.232.18.132 }  # deb.debian.org

table inet default {
  chain input {
    type filter hook input priority 0; policy deny;

    ct state new log prefix "NFT ALLOW MGMT "
    tcp dport $svc_ssh ip saddr $net_trusted accept

    ct state { established, related } accept comment "Allow existing sessions"
    log prefix "NFT DROP input "
  }

  chain forward {
    type filter hook forward priority 0; policy deny;

    ct state { established, related } accept comment "Allow existing sessions"
    log prefix "NFT DROP forward "
  }

  chain output {
    type filter hook output priority 0; policy deny;

    meta l4proto { tcp, udp } dport 123 ip daddr $hosts_ntp accept
    meta l4proto { tcp, udp } dport 53 ip daddr $hosts_dns accept
    tcp dport 853 ip daddr $hosts_dns accept
    tcp dport { 80, 443 } ip daddr $hosts_repo accept

    ct state { established, related } accept comment "Allow existing sessions"
    log prefix "NFT DROP output "
  }

  # chain prerouting_dnat {
  #   type nat hook prerouting priority -100; policy accept;
  # }

  # chain output_dnat {
  #   type nat hook output priority -100; policy accept;
  # }

  # chain postrouting_snat {
  #   type nat hook postrouting priority 100; policy accept;
  # }

}