# set up firewall and NAT with nftables

nftables is the successor to iptables

## enable forwarding

Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line:
```
net.ipv4.ip_forward = 1
```
then reload the settings with:
```
sysctl --system
```

## make nftables rules

install nftables if not already installed:
```
apt install nftables
```

in `/etc/nftables.conf`:
```
#!/usr/sbin/nft -f

# flush all rules
#flush ruleset

# flush only my tables
table inet myfilter
delete table inet myfilter
table ip mynatv4
delete table ip mynatv4

table inet myfilter {
        chain myinput {
                # use the "input" hook for this chain
                # accepts packets by default, because we don't want
                # to have to keep track of all interfaces we don't want
                # firewalled (lan0, wlan0, lxdbr0, veths, etc)
                type filter hook input priority 0; policy accept;

                # allow established/related connections
                ct state {established, related} accept

                # drop invalid connections
                ct state invalid drop

                # packets that are received on a firewalled interface
                # are sent to the firewall chain for evaluation
                iifname "wan0" jump myfirewall
        }
        chain myfirewall { # handle firewall
                # accept incoming HTTP(s) connections
                tcp dport {http, https} accept

                # accept incoming SSH connections
                tcp dport 4322 accept

                # reject everything else
                reject with icmpx type port-unreachable
        }

        chain myforward {
                # forward everything by default
                type filter hook forward priority 0; policy accept;
				
				# forward incoming on wan0 for established/related connections
                iifname wan0 ct state {established, related} accept

                # drop everything else
                iifname wan0 drop

        }
        chain myoutput {
                # let everything out by default
                type filter hook output priority 0; policy accept;

                # block outgoing mDNS broadcasts
                udp dport 5353 drop
	}
}

table ip mynatv4 {
        chain myprerouting {
                type nat hook prerouting priority -100;

                # if I wanted to do port forwarding I could do it like this:
                # forward http to 192.168.82.10
                #tcp dport http dnat to 192.168.82.10
        }
        chain mypostrouting {
                type nat hook postrouting priority 100;

                # masquerade outbound packets going to WAN
                oifname "wan0" masquerade
        }
}
```

load this configuration with `nft -f /etc/nftables.conf`

nftables is also configred to load that table on boot by default

## make sure service is enabled

make sure the service is enabled so that the rules are automatically applied on boot:
```
systemctl enable nftables
```