debian-setup/templates/nftables.j2

# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
# vim:set ts=2 sw=2 et:

flush ruleset

table ip filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept

    iifname 'br0' tcp dport {{ ssh_port }} accept comment 'SSH'
    iifname 'br0' tcp dport { {{ http_port }}, {{ https_port }} } accept comment 'HTTP/HTTPS'

    iifname 'br0' tcp dport {{ vpn_port }} accept comment 'Wireguard'

    iifname '{{ vpn_interface }}' tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment 'HTTP/HTTPS'
    iifname '{{ vpn_interface }}' tcp dport {{ transmission_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment 'Transmission'
    iifname '{{ vpn_interface }}' tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment 'Syncthing'
    iifname '{{ vpn_interface }}' tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment 'MPD'
  }
}