65 lines
1.2 KiB

#!/usr/bin/env nft -f
flush ruleset
table ip Inet4 {
chain NAT_in {
type nat hook prerouting priority -100
# Trusted hosts
tcp dport 443 ip saddr redirect to 444
chain NAT_out {
type nat hook postrouting priority 100
ct status dnat masquerade
chain FilterIn {
type filter hook input priority 0
policy drop
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
meta iif lo accept
# allow icmp
ip protocol icmp accept
# trusted https
ct status dnat accept
# https
tcp dport 443 accept
# xmpp client
tcp dport 5222 accept
# xmpp server
tcp dport 5269 accept
# xmpp components
tcp dport 5347 accept
chain FilterOut {
type filter hook output priority 0
policy drop
ct state {established, related} accept
meta oif lo accept
ip daddr accept
ip daddr accept
ip daddr accept
ip daddr accept
ip daddr accept
meta skuid prosody accept