#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#

flush ruleset

# List updated daily by update-firehol-nftables.sh
include "/etc/nftables/firehol_level1-ipv4.nft"

# Notes:
#   - tables hold chains, chains hold rules
#   - inet is for both ipv4 and ipv6
table inet filter {
    set firehol_level1-ipv4 {
        type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
        elements = $FIREHOL_LEVEL1_IPV4
    }

    chain input {
        type filter hook input priority 0;

        ct state {established, related} accept comment "Allow traffic from established and related packets"

        ct state invalid counter drop comment "Early drop of invalid connections"

        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"

        iifname lo accept comment "Allow from loopback"

        ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
        ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
        ip protocol igmp limit rate 4/second accept comment "Allow IGMP"

        {# SSH rules #}
        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
        ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"

        {# Web rules #}
        {% if 'web' in group_names %}
        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
        ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
        ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
        {% endif %}

        ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
        ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"

        {# Extra rules #}
        {% if extra_iptables_rules is defined %}
        {% for rule in extra_iptables_rules %}
        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept

        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
        {% endif %}

        {% endfor %}
        {% endif %}

        # everything else
        reject with icmpx type port-unreachable
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;

        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
    }
}