initial commit

templates/nftables.conf.in

@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+table inet fw_static {
+
+  chain input {
+    type filter hook input priority 0;
+    policy drop;
+
+    iif "lo" accept
+    ct state established,related accept
+
+    # Public: ICMP (optional)
+$ICMP_PUBLIC_IN_RULES
+
+    # Public: SSH IN (optional)
+$SSH_PUBLIC_IN_RULE
+
+    # Private network (in)
+    iif "$PRIV_IF" ip saddr $PRIV_NET accept
+  }
+
+  chain output {
+    type filter hook output priority 0;
+    policy drop;
+
+    oif "lo" accept
+    ct state established,related accept
+
+   # Public: ICMP (optional)
+$ICMP_PUBLIC_OUT_RULES
+
+    # Public: APT OUT (optional) - includes DNS + HTTP/HTTPS
+$APT_PUBLIC_OUT_RULES
+
+    # Private network (out)
+    oif "$PRIV_IF" ip daddr $PRIV_NET accept
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    policy drop;
+  }
+}