nixos-config/machines/shinobu/services/router/rules.nft

define NAT_LAN_IFACES = { "br-lan" }
define PHYSICAL_WAN = "enp1s0"
define NAT_WAN_IFACES = { $PHYSICAL_WAN }

table inet filter {
	chain forward {
		type filter hook forward priority filter; policy drop

		# allow traffic between lan and wan
		iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
		iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
	}
}

table inet nat {
	chain postrouting {
		type nat hook postrouting priority filter; policy accept
		oifname $NAT_WAN_IFACES masquerade
	}
}

# Only allow select connections from and to (physical) wan,
# overriding NixOS firewall in some cases.
table inet restrict-wan {
	# Priorities must be higher than filter (0),
	# which the NixOS firewall uses.
	chain input {
		type filter hook input priority -50; policy accept

		# accept responses
		iifname $PHYSICAL_WAN ct state established,related counter accept

		# accept icmpv6
		iifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

		# drop everything else
		iifname $PHYSICAL_WAN counter drop
	}

	# This handles all packets (local and forwarded)
	chain postrouting {
		type filter hook postrouting priority 0; policy accept

		# accept connections over physical wan
		oifname $PHYSICAL_WAN counter accept
	}
}

# Traffic control
# Neets output and prerouting to match packets from localhost and lan
table inet tc {
	chain output {
		type route hook output priority mangle

		# hardcoded, but unlikely to change
		ip daddr { "9.9.9.9", "149.112.112.112" } meta priority set 1:3 counter return comment "DNS (4)"
		ip6 daddr { "2620:fe::9", "2620:fe::fe" } meta priority set 1:3 counter return comment "DNS (6)"

		jump common
	}

	chain forward {
		type filter hook forward priority mangle
		jump common
	}

	chain common {
		meta l4proto tcp meta length 1-64 meta priority set 1:3 counter return comment "small tcp packets"

		tcp dport 22 ip  dscp af21 meta priority set 1:4 counter return comment "interactive SSH (4)"
		tcp dport 22 ip6 dscp af21 meta priority set 1:4 counter return comment "interactive SSH (6)"

		meta l4proto udp ip dscp af13 meta priority set 1:5 ip dscp set cs0 counter return comment "fuuko torrent"

		ip  daddr 168.119.176.53       tcp dport 443 ip  dscp af12 meta priority set 1:9 counter return comment "restic (4)"
		ip6 daddr 2a01:4f8:c012:2f4::1 tcp dport 443 ip6 dscp af12 meta priority set 1:9 counter return comment "restic (6)"

		meta l4proto { tcp, udp } th dport 443 meta priority set 1:6 counter return comment "HTTPS"

		ip daddr 168.119.176.53 udp dport 51820 meta priority set 1:7 counter return comment "wg-home"

		meta l4proto { tcp, udp } ip  dscp ef meta priority set 1:8 counter return comment "VoIP (4)"
		meta l4proto { tcp, udp } ip6 dscp ef meta priority set 1:8 counter return comment "VoIP (6)"
		meta l4proto { tcp, udp } th dport 64738 meta priority set 1:8 counter return comment "Mumble"
	}
}

# Tracing infrastructure, can be used for debugging (nft monitor trace)
table inet trace {
	chain prerouting {
		type filter hook prerouting priority raw - 1
		jump common
	}

	chain output {
		type filter hook output priority raw - 1
		jump common
	}

	chain common {
		# Add tracing rule here
		# … meta nftrace set 1
		# DO NOT COMMIT ANY TRACING RULES
	}
}