#!/usr/sbin/nft -f
flush ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                tcp flags != syn / fin,syn,rst,ack ct state new counter drop
                tcp flags fin,syn,rst,psh,ack,urg / fin,syn,rst,psh,ack,urg counter drop
                tcp flags ! fin,syn,rst,psh,ack,urg counter drop
                ct state invalid counter drop
                ct state established,related counter accept
                iifname "lo" counter accept
                ip saddr { 10.10.10.0/24, 37.187.73.124, 94.130.143.81, 116.202.209.243, 176.9.149.182, 178.150.69.156, 193.123.36.107 } accept
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state invalid counter drop
                ct state established,related counter accept
                iifname "vmbr1" oifname "vmbr0" counter accept
                tcp dport 22 counter accept
                tcp dport 8007 counter accept
                udp dport 3319 counter accept

        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority filter; policy accept;
                oifname "vmbr0" ip saddr 10.10.10.0/24 counter masquerade
        }

        chain PREROUTING {
                type nat hook prerouting priority filter; policy accept;
                iif "vmbr0" udp dport 3319 dnat to 10.10.10.2:3319
                iif "vmbr0" ip saddr {94.130.222.29,88.99.245.49 } tcp dport 8007 counter dnat to 10.10.10.254:8007
             
        }
}