These nftables firewall examples are from my previous house and all require ipv4.forward to be enabled in /etc/sysctl.conf as well as runing a dhcp server when plugging into an existing routers WAN port.

This allowed me to use raspberry pi’s and usb network adaptors instead of more permanent hardware

The first and last examples were between the nbn box and the internet service providers supplied router. It ended up with some ipv6 and nftables rules in the final one

There are some port forwards, with a few different conditions explained in the comments

There are rules for a few dodgy packets but this is possibly not the ideal way of doing it all but are provided as samples for those googling the subject, hi

This one was for going between the router and nbn box using a usb network card for the wan connection.

#!/sbin/nft -f

flush ruleset

table ip filter {
# allow all packets sent by the firewall machine itself
       chain output {
              type filter hook output priority 100; policy accept;
       }
# allow LAN to firewall, disallow WAN to firewall
       chain input { type filter hook input priority 0; policy drop;
              iifname “eth0” counter accept comment “accept eth0”
              iifname “eth1” ct state established,related counter accept comment “accept traffic from us”
              iifname “wlan0” counter accept comment “accept wlan0”
              iif lo counter accept comment “accept loopback”
              iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
              ip protocol icmp counter accept comment “accept all ICMP types”
              iifname “eth1” tcp dport 22 counter accept comment “accept SSH”
              counter comment “count dropped packets”
       }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
       chain forward {
              type filter hook forward priority 0; policy drop;
              iifname “eth0” oifname “eth1” counter accept comment “eth0 to eth1”
              iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
              iifname “eth1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
              counter comment “count dropped packets”
       }
}
table ip nat {
       chain early_packet_filter {
               # prio -150 is before pre routing in nat table and after connection tracking (-200)}
              type filter hook prerouting priority -150; policy accept;
               # drop badly formed packets
               ct state invalid drop
              tcp flags & (fin|syn|rst|ack) != syn ct state new drop
              tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
         tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
       tcp flags syn tcp option maxseg size 1-536 drop
        }
chain prerouting {
       type nat hook prerouting priority 0; policy accept;
       # exceptions
        iifname “eth1” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “eth1” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “eth1” counter masquerade comment “masquerade”
        }
}

butles was using a usb WiFi adaptor for the internet (wlan1) on board WiFi for a gopro network (wlan0) and wired connection to the garages router’s wan port (eth0)

#!/sbin/nft -f

flush ruleset

table ip filter {
        # allow all packets sent by the firewall machine itself
        chain output {
                 type filter hook output priority 100; policy accept;
         }
         # allow LAN to firewall, disallow WAN to firewall
        chain input {
                 type filter hook input priority 0; policy drop;
                 iifname “wlan0” counter accept comment “accept wlan0”
                 iifname “wlan1” ct state established,related counter accept comment “accept traffic from us”
                 iifname “eth0” counter accept comment “accept eth0”
                 iif lo counter accept comment “accept loopback”
                 iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
                 ip protocol icmp counter accept comment “accept all ICMP types”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 22 counter accept comment “accept SSH from garage”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 5000 counter accept comment “accept OCTOPRINT”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 8080 counter accept comment “accept WEBCAM”
                 iifname “wlan1” ip saddr 192.168.2.0/24 tcp dport 24800 counter accept comment “accept SYNERGY from routers wan port”
                 counter comment “count dropped packets”
         }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
         chain forward {
                type filter hook forward priority 0; policy drop;
                 iifname “wlan0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
                 iifname “wlan1” oifname “wlan0” ct state related,established counter accept comment “external to wlan0”
                 iifname “wlan1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
                counter comment “count dropped packets”
         }
}
table ip nat {
         chain early_packet_filter {
                 # prio -150 is before pre routing in nat table and after connection tracking (-200)}
                 type filter hook prerouting priority -150; policy accept;
                 # drop badly formed packets
                 ct state invalid drop
                 tcp flags & (fin|syn|rst|ack) != syn ct state new drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
                 tcp flags syn tcp option maxseg size 1-536 drop
         }
        chain prerouting {
                 type nat hook prerouting priority 0; policy accept;
         }

         # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
         chain postrouting {
                 type nat hook postrouting priority 100; policy accept;
                 oifname “wlan1” counter masquerade comment “masquerade”
         }
}

backup of pppoe nbn. Needed a vlan id and authentication copied from supplied routers admin page. Also includes fail2ban and ipv6

#!/sbin/nft -f

flush ruleset
include “/etc/nftables/fail2ban.conf”

table ip fail2ban {
    chain input {
        type filter hook input priority 100;
    }
}

table ip filter {
    # allow all packets sent by the firewall machine itself
    chain output {
        type filter hook output priority 100; policy accept;
    }

    # allow LAN to firewall, disallow WAN to firewall
    chain input { type filter hook input priority 0; policy drop;
    iifname “eth0” counter accept comment “accept eth0”
    iifname “eth1” counter accept comment “accept eth1”
    iifname “ppp0” ct state established,related counter accept comment “accept traffic back from us”
    #iifname “ppp0” counter accept comment “accept traffic from us”
    iifname “wlan0” counter accept comment “accept wlan0”
    iif lo counter accept comment “accept loopback”
    iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
    ip protocol icmp counter accept comment “accept all ICMP types”
    iifname “ppp0” tcp dport 22 counter accept comment “accept SSH”
    iifname “ppp0” tcp dport 23 counter accept comment “accept SSH to slab”
    iifname “ppp0” tcp dport 443 counter accept comment “accept HTTPS to slab”
    counter comment “count dropped packets”
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
    type filter hook forward priority 0; policy drop;
    iifname “eth0” oifname “ppp0” counter accept comment “eth0 to eth1”
    iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
    iifname “ppp0” oifname “eth0” ct state related,established counter accept comment “external to eth0”
    counter comment “count dropped packets”
    }
}
table ip nat {
    chain early_packet_filter {
        # prio -150 is before pre routing in nat table and after connection tracking (-200)}
        type filter hook prerouting priority -150; policy accept;
        # drop badly formed packets
        ct state invalid drop
        tcp flags & (fin|syn|rst|ack) != syn ct state new drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
        tcp flags syn tcp option maxseg size 1-536 drop
    }
    chain prerouting {
        type nat hook prerouting priority 0; policy accept;
        # exceptions
        iifname “ppp0” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “ppp0” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
    }

# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “ppp0” counter masquerade comment “masquerade”
    }
}

table ip6 firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept

    # drop everything else
    drop
  }
}