#!/usr/sbin/nft -f

# example configuration for a router

define loop_interface = "lo"
define wan_interface = "enp0s0"
define lan_interface = "enp1s0"
define local_network = 192.168.1.0/24

flush ruleset

table ip routing {
    chain masquerading {
        type nat hook postrouting priority 100; policy accept;
        ip saddr { $local_network } ip daddr != { $local_network } oifname { $wan_interface } masquerade
    }
}

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif { $loop_interface } accept
        iif { $lan_interface } accept
        ct state { related, established } accept
        ct state invalid drop
        meta l4proto icmp accept
        icmp type echo-request limit rate 5/second accept
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state { related, established } accept
        ct state invalid drop
        iif { $lan_interface } accept
    }
}