#!/usr/sbin/nft -f

flush ruleset

define iface_intern = enp0s3
define iface_extern = enp0s8

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iif lo accept
		ct state established,related counter accept
	}
	chain output {
		type filter hook output priority 0; policy drop;
		counter accept comment "Allow all outbound traffic for FW"
	}
	chain global_deny {
		counter
	}
	chain global_accept {
		icmp type echo-request accept
		counter
	}
	chain forward_traffic_in {
		type filter hook forward priority 0; policy drop;
		ct state established,related counter accept comment "Accept already allowed traffic"
		jump global_deny
		jump global_accept
		iif $iface_intern counter goto from_intern
		iif $iface_extern counter goto from_extern
		counter log prefix "DROP forward_traffic_in " drop
	}
	chain forward_traffic_out {
		oif $iface_intern counter goto into_intern
		oif $iface_extern counter goto into_extern
		counter log prefix "DROP forward_traffic_out " drop
	}
	chain from_intern {
		counter log prefix "DROP from_intern " drop
	}
	chain into_intern {
		counter accept
		counter log prefix "DROP into_intern " drop
	}
	chain from_extern {
		counter log prefix "DROP from_extern " drop
	}
	chain into_extern {
		counter accept
		counter log prefix "DROP into_extern " drop
	}
}