# set up firewall and NAT with nftables

nftables is the successor to iptables

## enable forwarding

Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line:
```
net.ipv4.ip_forward = 1
```
then reload the settings with:
```
sysctl --system
```

## make nftables rules

install nftables if not already installed:
```
apt install nftables
```

in `/etc/nftables.conf`:
```
#!/usr/sbin/nft -f

# flush all rules
#flush ruleset

# flush only my tables
table inet myfilter
delete table inet myfilter
table ip mynat
delete table ip mynat

table inet myfilter {
        chain input {
                # accepts packets by default, because we don't want
                # to have to keep track of all interfaces we don't want
                # firewalled (lan0, wlan0, bridges, veths, etc)
                type filter hook input priority 0; policy accept;

                # drop invalid connections
                ct state invalid drop

                # packets that are received on a firewalled interface
                # are sent to the firewall chain for evaluation
                iifname wan0 jump firewall
        }
        chain firewall {
                # allow established/related connections
                ct state {established, related} accept

                # accept incoming HTTP(s) connections
                tcp dport {80, 443} accept

                # accept incoming SSH connections
                tcp dport 4322 accept

                # accept incoming SSH connections for gitea
                tcp dport 4323 accept

                # accept incoming minecraft MP connections
                udp dport {19132, 19133} accept
                tcp dport {19132, 19133} accept

                # block mDNS broadcasts
                udp dport 5353 drop

                # reject everything else
                reject
        }

        chain forward {
                # forward everything by default
                type filter hook forward priority 0; policy accept;

                # drop invalid connections
                ct state invalid drop

                # send packets recieved on WAN to firewall chain
                iifname wan0 jump firewall
        }
        chain output {
                # let everything out by default
                type filter hook output priority 0; policy accept;

                # block outgoing mDNS broadcasts
                udp dport 5353 drop
        }
}

table ip mynat {
        chain prerouting {
                type nat hook prerouting priority -100;

                # if I wanted to do port forwarding I could do it like this:
                # forward http to 192.168.82.10
                #tcp dport http dnat to 192.168.82.10
        }
        chain postrouting {
                type nat hook postrouting priority 100;

                # masquerade outbound packets going to WAN
                oifname "wan0" masquerade
        }
}
```

load this configuration with `nft -f /etc/nftables.conf`

nftables is also configred to load that table on boot by default

## make sure service is enabled

make sure the service is enabled so that the rules are automatically applied on boot:
```
systemctl enable nftables
```