#!/usr/bin/env nft -f
flush ruleset

table ip Inet4 {
  chain NAT_in {
    type nat hook prerouting priority -100

    # Trusted hosts
    tcp dport 443 ip saddr 192.168.1.96/29 redirect to 444
  }
  chain NAT_out {
    type nat hook postrouting priority 100
    ct status dnat masquerade
  }

  chain FilterIn {
    type filter hook input priority 0
    policy drop

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    meta iif lo accept

    # allow icmp
    ip protocol icmp accept

    # trusted https
    ct status dnat accept

    # https
    tcp dport 443 accept

    # xmpp client
    tcp dport 5222 accept

    # xmpp server
    tcp dport 5269 accept

    # xmpp components
    tcp dport 5347 accept
  }

  chain FilterOut {
    type filter hook output priority 0
    policy drop

    ct state {established, related} accept
    meta oif lo accept

	# DNS
    ip daddr 80.67.169.12 accept
    ip daddr 80.67.169.40 accept
    ip daddr 87.98.175.85 accept
    ip daddr 5.135.183.146 accept
    ip daddr 8.8.8.8 accept

    meta skuid prosody accept
  }
}