#!/usr/bin/nft -f
# ipv4/ipv6 Simple & Safe Firewall
# you can find examples in /usr/share/nftables/

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    meta l4proto ipv6-icmp accept

    # Accept from VPN
    iifname overlay accept;

    # allow ssh
    tcp dport {ssh, http, https, tinc} accept
    udp dport {tinc} accept

    tcp dport 53 accept
    udp dport 53 accept

    udp dport 60000-61000 accept

    # everything else
    reject with icmpx type port-unreachable
    drop;
  }
  chain forward {
    type filter hook forward priority 0;
    drop
  }
  chain output {
    type filter hook output priority 0;
  }

}

# vim:set ts=2 sw=2 et: