setup/nftables.conf.example

#!/usr/sbin/nft -f

flush ruleset

# replace these
define if_wan = eth0
#define if_podman = veth100

define net_ipv4_podman = 10.1.0.0/16
define net_ipv6_podman = fdff:z:y:x::/96

# pod ipv4 addresses
define ipv4_podman_proxy = 10.1.1.100
define ipv4_podman_database = 10.1.2.100
define ipv4_podman_admintools = 10.1.3.100
define ipv4_podman_xmpp = 10.1.4.100

# pod ipv6 addresses
define ipv6_podman_proxy = fdff:z:y:x::1:100
define ipv6_podman_database = fdff:z:y:x::2:100
define ipv6_podman_admintools = fdff:z:y:x::3:100
define ipv6_podman_xmpp = fdff:z:y:x::4:100


# Covers IPv4 and IPv6
table inet filter {
	# A named set
	set ports_xmpp {
	  type inet_service; flags interval;
	  elements = { 5222, 5269 }
	}

	# Allow DNSSEC, HTTP(s) and DoT out from our firewall
	set firewall_out_tcp_accepted {
		type inet_service; flags interval;
		elements = { 53, 80, 443, 853 }
	}

	# Allow plain DNS & NTP from our firewall
	set firewall_out_udp_accepted {
		type inet_service; flags interval;
		elements = { 53, 123 }
	}
	# pods which are routed through traefik reverse proxy
	## IPv4 set
	set traefik_services_ipv4 {
	  type ipv4_addr; flags interval;
	  elements = { $ipv4_podman_admintools,
					$ipv4_podman_xmpp }
	}
	## IPv6 set
	set traefik_services_ipv6 {
	  type ipv6_addr; flags interval;
	  elements = { $ipv6_podman_admintools,
					$ipv6_podman_xmpp }
	}
	# pods which need a connection to the sql database pod
	## IPv4 set
	set database_clients_ipv4 {
	  type ipv4_addr; flags interval;
	  elements = { $ipv4_podman_admintools,
					$ipv4_podman_proxy,
					$ipv4_podman_xmpp }
	}
	## IPv6 set
	set database_clients_ipv6 {
	  type ipv6_addr; flags interval;
	  elements = { $ipv6_podman_admintools,
					$ipv6_podman_proxy,
					$ipv6_podman_xmpp }
	}
	# pods which need a connection to the internet
	## IPv4 set
	set ctr2internet_ipv4 {
	  type ipv4_addr; flags interval;
	  elements = { $ipv4_podman_proxy,
					$ipv4_podman_xmpp }
	}
	## IPv6 set
	set ctr2internet_ipv6 {
	  type ipv6_addr; flags interval;
	  elements = { $ipv6_podman_proxy,
					$ipv6_podman_xmpp }
	}

	# This is due to one of the quirks with netfilter (same applies
	# for iptables), you have to accept established and related
	# connections explicitly. Making it a separate chain like this
	# will allow us to quickly jump to it.
	#
	# We also allow ICMP for both v4 and v6.
	chain global {
		ct state established,related accept
		ct state invalid drop
		#tcp flags & (fin|syn|rst|ack) != syn ct state { new } drop
		ip protocol icmp limit rate 4/second accept
		ip6 nexthdr icmpv6 icmpv6 type {
			nd-neighbor-solicit, echo-request,
			nd-router-advert, nd-neighbor-advert
		} limit rate 4/second accept
		#pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
	}

	chain reject_politely {
		reject with icmp type port-unreachable
	}

	# Control what is allowed into the podman network
	chain podman_in {
		ct status dnat accept
	}

	# container2container communication
	chain podman_c2c {
		## allow traefik to services
#		ip saddr $ipv4_podman_proxy ip daddr @traefik_services_ipv4 log prefix "forward " accept
#		ip6 saddr $ipv6_podman_proxy ip6 daddr @traefik_services_ipv6 log prefix "forward " accept

		## allow connections to sql database pod
#		ip saddr @database_clients_ipv4 ip daddr $ipv4_podman_database log prefix "forward " accept
#		ip6 saddr @database_clients_ipv6 ip6 daddr $ipv6_podman_database log prefix "forward " accept
	}

	# ...and what is allowed out of the podman network
	chain podman_out {
		# allow traefik out, e.g. for TLS cert renewals
		oifname $if_wan ip saddr @ctr2internet_ipv4 log prefix "forward " ct state new accept
		oifname $if_wan ip6 saddr @ctr2internet_ipv6 log prefix "forward " ct state new accept
	}

	# Here's where some interesting things happen. This is where we
	# control what is forwarded between subnets, including using the
	# chains we defined previously.  Our default policy is drop.

	chain forward {
		type filter hook forward priority 0; policy drop;

		# First accept established & related traffic, by jumping to
		# our global chain
		jump global

		#
		# Verdict maps! This saves me _several lines_ of rules!!11
		# This could have been written line for line as well, I guess.
		#
		# Podman pod container to container communication
		jump podman_c2c

		# Map the output interface to a chain.  So if traffic has been
		# forwarded to this interface this is what we allow in, if
		# that makes sense?
		#oifname vmap { $if_podman : jump podman_in }
		jump podman_in

		# If the output interface is our external, what is allowed out
		# from each subnet?
		jump podman_out
	}

	# Control what is allowed on our firewall
	chain incoming {
		type filter hook input priority 0; policy drop;

		jump global

		iif lo accept

		# Allow SSH but rate limit on our external interface
		iifname $if_wan tcp dport { 22 } ct state new flow table ssh-ftable { ip saddr limit rate 2/minute } accept
#		iifname $if_wan tcp dport { 2222 } ct state new flow table ssh-ftable { ip saddr limit rate 2/minute } accept

		# Allow SSH from our clients
		#iifname $if_clients tcp dport 22 ct state new accept

		# Rejections should be nice
		jump reject_politely
	}

	# Control what is allowed out from our firewall itself.
	chain outgoing {
		type filter hook output priority 100; policy drop;

		jump global

		# What should be allowed out from your firewall itself? If
		# anything is acceptable, change the policy or just write:
		accept

		# Otherwise, specify what is allowed, some examples below
		#udp dport @firewall_out_udp_accepted ct state new accept
		#tcp dport @firewall_out_tcp_accepted ct state new accept

		jump reject_politely
	}
}

# Finally, NAT!
table inet nat {
	chain prerouting {
		type nat hook prerouting priority -100; policy accept
		# Port forward SSH to traefk reverse proxy
#		iifname $if_wan tcp dport { 22 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to traefik"
#		iifname $if_wan tcp dport { 22 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to traefik"
		# Port forward HTTP/HTTPS to traefk reverse proxy
		iifname $if_wan tcp dport { 80, 443 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to traefik"
		iifname $if_wan tcp dport { 80, 443 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to traefik"
		# Port forward XMPP-server to traefk reverse proxy
#		iifname $if_wan tcp dport { 5269 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to traefik"
#		iifname $if_wan tcp dport { 5269 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to traefik"

		# Port forward STUN/TURN to eturnal TURN server
		## forward STUN/TURN TCP
#		iifname $if_wan tcp dport { 3478 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to eturnal"
#		iifname $if_wan tcp dport { 3478 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to eturnal"
		## forward STUN/TURN UDP on port 443
#		iifname $if_wan udp dport { 443 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to eturnal"
#		iifname $if_wan udp dport { 443 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to eturnal"
		## forward TURN relay range
#		iifname $if_wan udp dport { 64000-65535 } counter dnat ip to $ipv4_podman_proxy comment "DNAT to eturnal"
#		iifname $if_wan udp dport { 64000-65535 } counter dnat ip6 to $ipv6_podman_proxy comment "DNAT to eturnal"
	}

	#### POSTROUTING
	chain postrouting {
		type nat hook postrouting priority 100; policy accept

		# Here you can specify which nets that are allowed to do NAT.  For
		# my own network I'm not allowing my IoT or management networks to
		# reach the internet.
		oifname $if_wan counter masquerade
		#ip saddr $net_clients oifname $if_wan masquerade
	}
}