From 0568890ed604c1c3e7520f8f6ed91be65674cabd Mon Sep 17 00:00:00 2001
From: 4bobus <slavapetrov4008@gmail.com>
Date: Mon, 23 Jun 2025 15:24:29 +0500
Subject: [PATCH] add nftables.confj

---
 files/hq-rtr/nftables.conf | 45 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100755 files/hq-rtr/nftables.conf

diff --git a/files/hq-rtr/nftables.conf b/files/hq-rtr/nftables.conf
new file mode 100755
index 0000000..ae4a670
--- /dev/null
+++ b/files/hq-rtr/nftables.conf
@@ -0,0 +1,45 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		log prefix "Dropped Input: " level debug
+		iif lo accept
+		ct state established,related accept
+		tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
+		udp dport { 53,123,500,4500,88,137 } accept
+		ip protocol icmp accept
+		ip protocol esp accept
+		ip protocol gre accept
+		ip protocol ospf accept
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+		log prefix "Dropped forward: " level debug
+		iif lo accept
+		ct state established,related accept
+		tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
+		udp dport { 53,123,500,4500,88,137 } accept
+		ip protocol icmp accept
+		ip protocol esp accept
+		ip protocol gre accept
+		ip protocol ospf accept
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+table inet nat {
+	chain prerouting {
+		type nat hook prerouting priority filter; policy accept
+		ip daddr 172.16.4.2 tcp dport 2024 dnat ip to 192.168.100.2:2024
+	}
+	chain postrouting {
+		type nat hook postrouting priority srcnat
+
+		oif "ens18" ip saddr { 192.168.100.0/26, 192.168.10.0/28 } masquerade
+	}
+}