#!/bin/bash

# Inferencium - ZA-00-00
# nftables - Configuration
# Version: 0.1.0

# Copyright 2025 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause


# Variable
## nftables path
nft="/usr/sbin/nft";
## Interface
lan=enp16s0
wan=enp41s0
lan_net=10.0.0.0/24

## IP address - LAN
xb_00_01=10.0.0.21

## IP address - WAN
inf=185.241.226.159

## Port
ssh=22
domain=53
domains=853
http=80
https=443
rtmp=1935
xmpp0=3478
xmpp1=5222
xmpp_s2s=5269
xmpp3=5349
xmpp_https=5443
murmur=64738
wg=51820


${nft} flush ruleset;
${nft} add table inet table_base;
${nft} add chain inet table_base filter_input "{type filter hook input priority 0;}"
${nft} add chain inet table_base filter_forward "{type filter hook forward priority 0;}"
${nft} add chain inet table_base filter_output "{type filter hook output priority 0;}"
${nft} add chain inet table_base nat_pre "{type nat hook prerouting priority 0;}"
${nft} add chain inet table_base nat_post "{type nat hook postrouting priority 0;}"


# Drop
## Drop IP address ranges reserved for LAN
${nft} add rule inet table_base filter_input \
		iifname ${wan} \
				ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
						drop;

## Drop invalid packets
${nft} add rule inet table_base filter_input \
		ct state invalid \
				drop;


# Accept
## localhost
${nft} add rule inet table_base filter_input \
		iifname lo \
				ct state new,established,related \
						accept;

## ICMP
${nft} add rule inet table_base filter_input \
		ip protocol icmp \
				accept;

## LAN packets
${nft} add rule inet table_base filter_input \
		iifname ${lan} \
				ip saddr ${lan_net} \
						ct state new,established,related \
								accept;

## WAN packets
${nft} add rule inet table_base filter_input \
		iifname ${wan} \
				ct state established,related \
						accept;

# SSH
${nft} add rule inet table_base filter_input \
		iifname ${lan} \
				ip protocol tcp \
						tcp dport ${ssh} \
								ct state new \
										accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${ssh} \
								dnat to ${xb_00_01}:${ssh};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${ssh} \
								snat to ${inf}:${ssh};


# DNS
${nft} add rule inet table_base filter_input \
		ip protocol tcp tcp \
				dport ${domain} \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp udp \
				dport ${domain} \
						ct state new \
								accept;


# DNS Secure
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport ${domains} \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${domains} \
						ct state new \
								accept;


# HTTP
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport ${http} \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${http} \
						ct state new \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${http} \
								dnat to ${xb_00_01}:${http};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${http} \
								snat to ${inf}:${http};


# HTTPS
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport ${https} \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${https} \
						ct state new \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${https} \
								dnat to ${xb_00_01}:${https};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${https} \
								snat to ${inf}:${https};


# RTMP
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport ${rtmp} \
						ct state new,established \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${rtmp} \
						ct state new,established \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${rtmp} \
								dnat to ${xb_00_01}:${rtmp};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${rtmp} \
								snat to ${inf}:${rtmp};


# XMPP
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport { ${xmpp1}, ${xmpp_s2s}, ${xmpp_https} } \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport { ${xmpp0}, ${xmpp1}, ${xmpp_s2s}, ${xmpp3}, ${xmpp_https} } \
						ct state new \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${xmpp0} \
								dnat to ${xb_00_01}:${xmpp0};

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${xmpp1} \
								dnat to ${xb_00_01}:${xmpp1};

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${xmpp_s2s} \
								dnat to ${xb_00_01}:${xmpp_s2s};

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${xmpp3} \
								dnat to ${xb_00_01}:${xmpp3};

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip daddr ${inf} \
						tcp dport ${xmpp_https} \
								dnat to ${xb_00_01}:${xmpp_https};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${xmpp0} \
								snat to ${inf}:${xmpp0};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${xmpp1} \
								snat to ${inf}:${xmpp1};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${xmpp_s2s} \
								snat to ${inf}:${xmpp_s2s};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${xmpp3} \
								snat to ${inf}:${xmpp3};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${xmpp_https} \
								snat to ${inf}:${xmpp_https};


# Murmur
${nft} add rule inet table_base filter_input \
		ip protocol tcp \
				tcp dport ${murmur} \
						ct state new \
								accept;

${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${murmur} \
						ct state new \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip saddr ${inf} \
						tcp dport ${murmur} \
								dnat to ${xb_00_01}:${murmur};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${murmur} \
								snat to ${inf}:${murmur};


# WireGuard
${nft} add rule inet table_base filter_input \
		ip protocol udp \
				udp dport ${wg} \
						ct state new \
								accept;

${nft} add rule inet table_base nat_pre \
		iifname ${wan} \
				ip saddr ${inf} \
						tcp dport ${wg} \
								dnat to ${xb_00_01}:${wg};

${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${xb_00_01} \
						tcp sport ${wg} \
								snat to ${inf}:${wg};


# NAT
${nft} add rule inet table_base nat_post \
		oifname ${wan} \
				ip saddr ${lan_net} \
						snat to ${inf}


# Default policy
${nft} add rule inet table_base filter_input drop;
${nft} add rule inet table_base filter_forward accept;
${nft} add rule inet table_base filter_output accept;


# Save policy
/etc/init.d/nftables save;