#!/usr/sbin/nft -f

flush ruleset
define vpn_port=6174
define vpn_if=tun0
define outside_if=enp0s17
define vpn_subnet=10.10.10.0/24

table inet filter {


        chain input {
                # allow OpenVPN VPN connections to the Server
                udp dport $vpn_port accept
        }

        chain forward {
                #Drop forwarded packets if they are not matched
                type filter hook forward priority 0; policy drop;

                # allow existing connections
                ct state related,established accept

                # allow packets from vpn interface
                iifname $vpn_if oifname $outside_if accept

        }

        chain output {
                # Security drops
                ct state invalid counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
    }

}

# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100;

                # enable NAT for VPN
                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade

        }

        chain prerouting {
                type nat hook prerouting priority 0;

        }

}