My LAN interfaces are ens3/ens8/ens9.
VPN tunnel set up using openvpn, gets dev tun0.
NFTables config file /etc/nftables.conf (do not forget to enable the nftables services):
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state {established, related} accept
ct state invalid drop
iifname lo accept
iifname ens3 accept
iifname ens8 accept
iifname ens9 accept
ip protocol icmp accept
tcp dport 22 accept comment "SSH in"
tcp dport 80 accept comment "HTTP in"
tcp dport 443 accept comment "HTTPS in"
reject
}
chain forward {
type filter hook forward priority 0;
oifname tun0 accept
iifname tun0 ct state related, established accept
iifname tun0 drop
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
oifname tun0 masquerade
}
}