#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#

flush ruleset

# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"

# Notes:
#   - tables hold chains, chains hold rules
#   - inet is for both ipv4 and ipv6
table inet filter {
    set spamhaus-ipv4 {
        type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
        elements = $SPAMHAUS_IPV4
    }

    set spamhaus-ipv6 {
        type ipv6_addr
        flags interval
        elements = $SPAMHAUS_IPV6
    }

    chain input {
        type filter hook input priority 0;

        # Allow traffic from established and related packets.
        ct state {established, related} accept

        # Drop invalid packets.
        ct state invalid counter drop

        # Drop packets matching the spamhaus sets early.
        ip saddr @spamhaus-ipv4 counter drop
        ip6 saddr @spamhaus-ipv6 counter drop

        # Allow loopback traffic.
        iifname lo accept

        # Allow all ICMP and IGMP traffic, but enforce a rate limit
        # to help prevent some types of flood attacks.
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept

        {# SSH rules #}
        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
        ip6 saddr ::/0 ct state new tcp dport 22 counter accept

        {# Web rules #}
        {% if 'web' in group_names %}
        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
        {% endif %}

        {# Extra rules #}
        {% if extra_iptables_rules is defined %}
        {% for rule in extra_iptables_rules %}
        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept

        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
        {% endif %}

        {% endfor %}
        {% endif %}

        # everything else
        reject with icmpx type port-unreachable
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
        # Drop outgoing packets matching the spamhaus sets too
        ip daddr @spamhaus-ipv4 counter drop
        ip6 daddr @spamhaus-ipv6 counter drop
    }
}