#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	set blackhole_ipv4 {
	 	type ipv4_addr
		timeout 1m
		flags dynamic
	}

	set blackhole_ipv6 {
		type ipv6_addr
		timeout 1m
		flags dynamic
	}

	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		
		# Block all IPs in blackhole
		ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
		ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop

		ct state invalid drop
		ct state { established, related } accept

		# Prevent DDoS
		# Rate limiting
		meta nfproto ipv4 meter ratelimit4 \
			{ ip saddr limit rate over 50/second burst 10 packets } \
			add @blackhole_ipv4 { ip saddr }
		meta nfproto ipv6 meter ratelimit6 \
			{ ip6 saddr limit rate over 50/second burst 10 packets } \
			add @blackhole_ipv6 { ip6 saddr }
		# Max concurrent connections
		meta nfproto ipv4 meter connlimit4 \
			{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
		meta nfproto ipv6 meter connlimit6 \
			{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }

		# Allow ICMP
		meta l4proto icmp accept
		meta l4proto ipv6-icmp accept
				
		# SSH
		tcp dport ssh accept

		# ARK
		udp dport { 7777, 7778, 27015 } accept
	}
	
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	
	chain output {
		type filter hook output priority 0; policy accept;

		# Don't waste resources responding to blocked IPs
		ip daddr @blackhole_ipv4 reject
		ip6 daddr @blackhole_ipv6 reject
	}
}