#!/usr/sbin/nft -f
# Name: K4YT3X Vagrant nftables Script
# Author: K4YT3X
# Date Created: October 13, 2020
# Last Updated: October 20, 2020

# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
#   available at: https://www.gnu.org/licenses/gpl-3.0.txt
# (C) 2020-2021 K4YT3X

# flush all existing rules
flush ruleset

# TCP ports to accept (both IPv4 and IPv6)
#define ACCEPT_TCP_PORTS = {}

# UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = {}

# IPv4 filter table
table ip filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" accept
		ct state established,related accept

		# accept user-defined ports
		#tcp dport $ACCEPT_TCP_PORTS accept
		#udp dport $ACCEPT_UDP_PORTS accept

		# allow necessary ICMP types for debugging
		icmp type {
			echo-request,
			destination-unreachable,
			time-exceeded,
			parameter-problem
		} accept

		# DHCP
		udp sport 67 udp dport 68

		# Bonjour/mDNS
		#ip daddr 224.0.0.251 udp dport 5353

		# UPNP
		#ip daddr 239.255.255.250 udp dport 1900 accept
	}

	chain output {
		type filter hook output priority 0; policy accept;
		oifname "lo" accept
		ct state related,established accept
	}

	chain forward {
		type filter hook forward priority 0; policy drop;
	}
}

# IPv4 NAT table
table ip nat {
	chain prerouting {
		type nat hook prerouting priority -100; policy accept;
	}

	chain input {
		type nat hook input priority 100; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
	}

	chain output {
		type nat hook output priority -100; policy accept;
	}
}

# IPv6 filter table
table ip6 filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" accept
		rt type 0 drop
		ct state established,related accept
		ct state invalid drop

		# accept user-defined ports
		#tcp dport $ACCEPT_TCP_PORTS accept
		#udp dport $ACCEPT_UDP_PORTS accept

		# DHCPv6
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept

		# Bonjour/mDNS
		#ip6 daddr ff02::fb udp dport 5353 accept

		# UPNP
		#ip6 daddr ff02::f udp dport 1900 accept

		# allow necessary ICMP packets in compliance with RFC4890
		jump rfc4890
	}

	chain output {
		type filter hook output priority 0; policy accept;
		oifname "lo" accept
		rt type 0 drop
		ct state related,established accept

		# allow necessary ICMP packets in compliance with RFC4890
		jump rfc4890
	}

	chain forward {
		type filter hook forward priority 0; policy drop;
	}


	# ICMPv6 filtering rules must comply with RFC4890
	# https://tools.ietf.org/html/rfc4890
	# https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template
	chain rfc4890 {
		# allow basic IPv6 functionality
		ip6 nexthdr icmpv6 icmpv6 type {{
			destination-unreachable,
			packet-too-big,
			time-exceeded,
			parameter-problem,
			echo-request,
			echo-reply
		}} accept;

		# allow auto configuration support
		ip6 nexthdr icmpv6 icmpv6 type {{
			nd-neighbor-solicit,
			nd-neighbor-advert,
			nd-router-advert,
			nd-router-solicit
		}} ip6 hoplimit 255 accept;

		# allow multicast listener discovery on link-local addresses
		ip6 nexthdr icmpv6 icmpv6 type {{
			mld-listener-query,
			mld-listener-report,
			mld-listener-reduction
		}} ip6 saddr fe80::/10 accept;

		# allow multicast router discovery messages on link-local addresses (hop limit 1)
		ip6 nexthdr icmpv6 icmpv6 type {{
			nd-router-advert,
			nd-router-solicit
		}} ip6 hoplimit 1 ip6 saddr fe80::/10 accept;

		# return to the original chain
		return
	}
}