---

#!/usr/sbin/nft -f

flush ruleset

# NAT таблица для DNAT
table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100; policy accept;
        # DNAT: перенаправляем HTTP с WAN-интерфейса enp0s9 на веб-сервер в LAN
        iifname "enp0s9" tcp dport 80 dnat to 192.168.12.10
    }
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        # Маскарадинг для LAN
        oifname "enp0s8" masquerade
    }
}

# Фильтрующая таблица
table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept
        ct state established,related accept
        ip protocol icmp icmp type { echo-reply, destination-unreachable, redirect, echo-request, time-exceeded } accept
        ip saddr 192.168.12.0/24 ip protocol tcp dport 22 accept
        log prefix "INPUT DROP: " drop
    }
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related accept
        ip saddr 192.168.12.0/24 accept
        log prefix "FORWARD DROP: " drop
    }
    chain output {
        type filter hook output priority filter; policy accept;
    }
}