#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;policy drop;
                iif lo accept
                ct state vmap {
                        established: accept,
                        related:     accept,
                        untracked:   accept,
                        invalid:     drop
                }
                meta l4proto vmap {
                        icmp: accept,
                        icmpv6: accept,
                        tcp: jump tcp_input,
                        udp: jump udp_input
                }

                reject
        }
        chain tcp_input {
                tcp dport {  22, 22000, 8384,9090, 4001} accept
        }
        chain udp_input {
                iifname lxcbr udp dport 67 accept
                udp dport { 21027, 33445 } accept
        }
}

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }
        chain postrouting {
                type nat hook postrouting priority 0; policy accept;
                oif "wlp58s0" ip saddr 10.64.32.0/24 masquerade
        }
}