templates/nftables.conf.j2

#!/usr/sbin/nft -f
{#
SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
#}

flush ruleset

# Primary rules
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # The basic rules to accept ICMP and established connection
    iif "lo" accept
    ip protocol icmp accept
    ct state established,related accept
    ct state invalid drop

    {% if "services" in netprep_nftables %}
    ## The service present on this server
    {% for item in netprep_nftables["services"] %}
    # For service {{ item["name"] }}
    iif "{{ netprep_nftables["external_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept
    {% endfor %}
    {% endif %}

    # Allow SSH on all interfaces
    tcp dport ssh accept

    {% if "allow_subnets" in netprep_nftables %}
    # The ingress traffic restriction of internal networks
      {% for item in netprep_nftables["allow_subnets"] %}
    iif "{{ netprep_nftables["internal_if"] }}" ip saddr {{ item }} accept
      {% endfor %}
    {% endif %}
  }
  chain forward {
    type filter hook forward priority 0; policy accept;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority -100;
  }

  chain postrouting {
    type nat hook postrouting priority 100;
    oifname "{{ netprep_nftables["internal_if"] }}" masquerade;
    {% if "ue_routing" in netprep_nftables %}
    {% for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] %}
      {% for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
    ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
      {% endfor %}
    {% endfor %}

    {% endif %}
  }
}