#!/usr/bin/nft -f
# /etc/nftables.conf

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} counter accept

    # early drop of invalid connections
    ct state invalid counter drop

    # allow from loopback
    iifname lo counter accept

    # allow icmp
    ip protocol icmp counter accept
    ip6 nexthdr icmpv6 counter accept

    # allow ssh
    # tcp dport ssh counter accept

    # everything else
    counter reject with icmp type port-unreachable
  }
  chain forward {
    type filter hook forward priority 0;
#    drop
  }
  chain output {
    type filter hook output priority 0;
  }

}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }
  chain postrouting {
    type nat hook postrouting priority 0;
    oifname "wlan0" counter masquerade
  }
}