#!/usr/sbin/nft -f

flush ruleset

########### define usefull variables here #####################

define wan        = eth0
define ssh_allow  = {
    83.161.147.127/32, # host801 ipv4
    95.215.185.92/32,  # host088 ipv4
    95.215.185.211/32, # host089 ipv4
    95.215.185.34/32,  # nagios2 ipv4
    95.215.185.235/32, # ansible-hq
}
define snmp_allow = {
    95.215.185.31/32,  # cacti ipv4
}
define nrpe_allow = {
    95.215.185.34/32,  # nagios2 ipv4
}

########### here starts the automated bit #####################

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        # established/related connections
        ct state established,related accept
        ct state invalid drop

        # Limit ping requests.
        ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop

        # loopback interface
        iifname lo accept

        # icmp
        ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
        # Without the nd-* ones ipv6 will not work.
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept

        # open tcp ports: sshd (22)
        tcp dport {ssh} accept

        # open tcp ports: snmp (161)
        ip saddr $snmp_allow udp dport {snmp} accept

        # open tcp ports: nrpe (5666)
        ip saddr $nrpe_allow tcp dport {nrpe} accept

        # open tcp ports: http (80,443)
        tcp dport {http,https} accept
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

table ip nat {
    chain postrouting {
    }
    chain prerouting {
    }
}