demo2026-1/files/br-rtr/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		log prefix "Dropped Input: " level debug
		iif lo accept
		ct state established,related accept
		tcp dport { 22,514,53,80,443,3015,445,139,88,2026,8080,2049 } accept
		udp dport { 53,123,500,4500,88,137,8080,2049 } accept
		ip protocol icmp accept
		ip protocol esp accept
		ip protocol gre accept
		ip protocol ospf accept
	}
	chain forward {
		type filter hook forward priority 0; policy drop;
		log prefix "Dropped forward: " level debug
		iif lo accept
		ct state established,related accept
		tcp dport { 22,514,53,80,443,3015,445,139,88,2026,8080,2049 } accept
		udp dport { 53,123,500,4500,88,137,8080,2049 } accept
		ip protocol icmp accept
		ip protocol esp accept
		ip protocol gre accept
		ip protocol ospf accept
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}

table inet nat {
	chain prerouting {
		type nat hook prerouting priority filter; policy accept
		ip daddr 172.16.2.2 tcp dport 2026 dnat ip to 192.168.200.2:2026
		ip daddr 172.16.2.2 tcp dport 8080 dnat ip to 192.168.200.2:8080
	}
	chain postrouting {
		type nat hook postrouting priority srcnat
		oif "ens18" ip saddr { 192.168.200.0/28 } masquerade
	}
}