#!/usr/sbin/nft -f
flush ruleset
table inet filter {

# Доверенные IP: lesnoy 178.150.69.156, vpn.diol 95.216.229.41, pbs.mlp.pp.ua 95.217.87.245
# oracle.mlp.pp.ua  193.123.36.107,129.151.237.120, Dima 37.187.95.231, 
# Diol office 194.62.137.238,212.26.133.106, Spetscontrsact: 212.26.135.6, Giaroom 65.21.29.93
# Eneko 138.201.250.74, Aktive-alians 195.201.9.226
set trusted_ips {
    type ipv4_addr;
    flags interval;
    elements = {
        178.150.69.156, 95.216.229.41, 193.123.36.107, 129.151.237.120, 95.217.87.245, 192.168.18.0/24,
        62.80.161.178, 94.130.143.81, 116.202.209.243, 168.119.212.183, 138.201.250.74, 195.201.9.226,
        194.62.137.238, 212.26.133.106, 37.187.95.231, 212.26.135.6, 65.21.29.93
    }
}

	chain input {
		type filter hook input priority filter; policy drop;

		# 🔒 Защита от пустых TCP-пакетов (NULL scan и др.)
		tcp flags & (fin|syn|rst|psh|ack|urg) == 0 counter drop comment "Drop malformed TCP packets"

		# ❌ Отбросить недопустимые соединения
		ct state invalid counter drop comment "Drop invalid connections"

		# ✅ Разрешить установленные и связанные соединения
		ct state established,related accept comment "Accept established and related connections"

		# ✅ Разрешить loopback
		iifname "lo" counter accept comment "Accept loopback interface"

# ✅ Доступ с доверенных IP: 
        ip saddr @trusted_ips tcp dport {22, 8006} counter accept comment "SSH и Proxmox Web"
# ✅ Страховка
	ip saddr {178.150.69.156, 65.21.29.93, 138.201.250.74} tcp dport { 22, 2222, 8006 } counter accept
	ip protocol icmp accept comment "Allow ICMP (ping, etc.)"

	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state invalid counter drop
		ct state established,related  accept

		iifname "vmbr1" oifname "vmbr0" accept comment "Forward Lan MTIR to Internet"
		ip protocol udp udp dport {1194, 51820} accept comment "Allow VPN protocols"
		ip protocol tcp tcp dport {22, 80, 443, 3389, 8007} accept comment "Allow TCP services"
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority filter; policy accept;
		
		oifname "vmbr0" ip saddr 192.168.18.0/24 counter masquerade comment "Lan MTIR"
	
	}

	chain PREROUTING {
		type nat hook prerouting priority filter; policy accept;
		
		iif "vmbr0" udp dport 1194       dnat to 192.168.18.4 comment "OpenVPN"
		iif "vmbr0" tcp dport {80, 443}  dnat to 172.23.90.3 comment "Web" 
		iif "vmbr0" ip saddr 95.217.87.245 tcp dport 8001 dnat to 172.23.90.254:8007 comment  "PBS rezerv from pbs.mlp.pp.ua"

	}
}