#!/sbin/nft -f
flush ruleset
table inet filter {
	chain TCP {
		tcp dport ssh accept
		tcp dport { http, https } accept
		tcp dport 6881 accept comment "deluge"
	}

	chain UDP {
		udp dport 6881 accept comment "deluge"
		udp dport 51820 accept comment "wireguard"
	}

	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid drop
		ct state established,related accept
		iifname { "lo", "wg0" } accept
		ip protocol icmp accept
		ip protocol udp ct state new jump UDP
		ip protocol tcp ct state new jump TCP
		ip6 nexthdr ipv6-icmp accept
		ip6 nexthdr udp ct state new jump UDP
		ip6 nexthdr tcp ct state new jump TCP
		reject
	}

	chain forward {
		type filter hook forward priority 0; policy drop;
		ct state established,related accept
		iifname "wg0" accept
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority 0; policy accept;
		ip saddr 10.8.0.0/24 snat to 176.31.253.45
	}
}
table ip6 nat {
	chain postrouting {
		type nat hook postrouting priority 0; policy accept;
		ip6 saddr fd42:42:42::/64 snat to 2001:41d0:8:e2d::1
	}
}