#!/usr/sbin/nft -f
# /etc/nftables.conf

flush ruleset

# Definition von Interfaces und Ports
define LAN_IF = "eth0"
define WAN_IF = "enx0"
define TOR_PORT = 9040
define MULLVAD = 1080

# Dynamische Hooks - DHCP-Leases
table ip dhcp {
    set dhcp_leases {
        type ipv4_addr
        flags dynamic,timeout
        timeout 25h
    }
}

# Filter-Tabelle
table inet filter {

    # Input-Chain (Pakete an den Router selbst)
    chain input {
        type filter hook input priority 0; policy drop;

        # Loopback erlauben
        iif lo accept

        # Established/related
        ct state established,related accept

        # DHCP & DNS
        udp dport 67 accept
        udp dport 68 accept
        udp dport 53 accept
        tcp dport 53 accept

        # ICMP aus dem WAN nicht zulassen
        ip protocol icmp ip saddr 192.168.6.0/24 drop
        ip protocol icmp accept

        # Logging aller Drops
        limit rate 5/second burst 10 log prefix "INPUT_DROP: " level info
        drop
    }

    # Forward-Chain (Pakete, die geroutet werden)
    chain forward {
        type filter hook forward priority 0; policy drop;

        # Established/related
        ct state established,related accept

        # Nur DHCP-vergebene IPs
        ip saddr @dhcp_leases ct state new accept
        ip saddr 192.168.1.0/24 ip daddr 192.168.4.0/24 accept
        ip saddr 192.168.2.0/24 ip daddr 192.168.1.0/24 accept
        ip saddr 192.168.3.0/24 accept
        ip saddr 192.168.4.0/24 ip daddr 192.168.4.0/24 accept
        ip saddr 192.168.5.0/24 accept
        ip saddr 192.168.6.0/24 oif $WAN_IF accept
        
        # Logging aller Drops. Da ist der Drops gelutscht
        limit rate 5/second burst 10 log prefix "FORWARD_DROP: " level info
        drop
    }
}

# Proxy-Tabelle Mullvad VPN, WireGuard
table ip proxy {
    chain prerouting {
        type nat hook prerouting priority 0;

        # TCP-Verbindungen auf Port 0-65535 transparent an TOR umleiten
        ip saddr 192.168.3.10 tcp redirect to :$TOR_PORT

        # TCP Traffic von LAN-IP auf Mullvad
        ip saddr 192.168.3.11 tcp dport {80,443} redirect to :$MULLVAD
    }
}

# NAT-Tabelle
table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0; policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # Maskieren für Internet-Zugänge
        ip saddr 192.168.1.0/24 oif $WAN_IF masquerade
        ip saddr 192.168.2.0/24 oif $WAN_IF masquerade
        ip saddr 192.168.5.0/24 oif $WAN_IF masquerade
        ip saddr 192.168.6.0/24 oif $WAN_IF masquerade
    }
}