#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#

flush ruleset

# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"

# Notes:
#   - tables hold chains, chains hold rules
#   - inet is for both ipv4 and ipv6
table inet filter {
	set spamhaus-ipv4 {
		type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
		elements = $SPAMHAUS_IPV4
	}

	set spamhaus-ipv6 {
		type ipv6_addr
        flags interval
		elements = $SPAMHAUS_IPV6
	}

	chain input {
        type filter hook input priority 0;

        # Allow traffic from established and related packets.
        ct state {established, related} accept

        # Drop invalid packets.
        ct state invalid counter drop

        # Drop packets matching the spamhaus sets early.
        ip saddr @spamhaus-ipv4 counter drop
        ip6 saddr @spamhaus-ipv6 counter drop

        # Allow loopback traffic.
        iifname lo accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept

        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept

        # everything else
        reject with icmpx type port-unreachable
	}
	chain forward {
		type filter hook forward priority 0;
	}
	chain output {
		type filter hook output priority 0;
        # Drop outgoing packets matching the spamhaus sets too
        ip daddr @spamhaus-ipv4 counter drop
        ip6 daddr @spamhaus-ipv6 counter drop
	}
}