#!/usr/sbin/nft -f

flush ruleset

table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;
        iif eth0 tcp dport ${env['ports']['syncthing_relaysrv']} redirect to :22067
        iif eth0 tcp dport 25 redirect to :${env['ports']['mailserver_smtp']}
        iif eth0 tcp dport 465 redirect to :${env['ports']['mailserver_smtps']}
        iif eth0 tcp dport 993 redirect to :${env['ports']['mailserver_imaps']}
    }
}

table inet filter {
	set blackhole_ipv4 {
	  type ipv4_addr
	  timeout 30s
	  flags dynamic
	}

	set blackhole_ipv6 {
	  type ipv6_addr
	  timeout 30s
	  flags dynamic
	}

	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		
		# Block all IPs in blackhole
		ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
		ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop

		ct state invalid drop
		ct state { established, related } accept
	
		<%text>
		# Prevent DDoS
		# Rate limiting
		meta nfproto ipv4 meter ratelimit4 \
			{ ip saddr limit rate over 75/second burst 15 packets } \
			add @blackhole_ipv4 { ip saddr } counter
		meta nfproto ipv6 meter ratelimit6 \
			{ ip6 saddr limit rate over 75/second burst 15 packets } \
			add @blackhole_ipv6 { ip6 saddr } counter
		# Max concurrent connections
		meta nfproto ipv4 meter connlimit4 \
			{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } counter
		meta nfproto ipv6 meter connlimit6 \
			{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } counter
		</%text>

		# Allow ICMP
		meta l4proto icmp accept
		meta l4proto ipv6-icmp accept

		# HTTP/S
		tcp dport { http, https } accept

		# SSH
		tcp dport ssh accept

		# SMTP/IMAP
		tcp dport { ${env['ports']['mailserver_smtp']}, ${env['ports']['mailserver_smtps']}, ${env['ports']['mailserver_imaps']} } accept

		# Syncthing
		tcp dport { ${env['ports']['syncthing_tcp']}, 22067 } accept
		udp dport ${env['ports']['syncthing_udp']} accept

		# Coturn
		tcp dport { ${env['ports']['coturn_listening']}, ${env['ports']['coturn_tls_listening']} } accept
		udp dport { ${env['ports']['coturn_listening']}, ${env['ports']['coturn_tls_listening']}, ${env['ports']['coturn_relay_min']}-${env['ports']['coturn_relay_max']} } accept

	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	
	chain output {
		type filter hook output priority 0; policy accept;

		# Don't waste resources responding to blocked IPs
		ip daddr @blackhole_ipv4 reject
		ip6 daddr @blackhole_ipv6 reject
	}
}