#!/usr/sbin/nft -f

# Please replace ens33 to interface name of your device 
define int_if = ens33

# If there are multiple net interface, example:
# define int_if = {ens33, ens36}

flush ruleset

table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy drop;
		iifname "lo" counter packets 0 bytes 0 accept
		ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
		ip protocol tcp ct state established counter packets 0 bytes 0 accept
		ip protocol udp ct state established counter packets 0 bytes 0 accept
		ip protocol icmp ct state established counter packets 0 bytes 0 accept
		ip protocol icmp ct state related counter packets 0 bytes 0 accept
		limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-IN-ILL-TARGET " flags tcp options flags ip options
		iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Drop Syn"
		iifname $int_if tcp flags & (fin | syn | rst | ack) != syn ct state new counter packets 0 bytes 0 drop
		iifname $int_if ip frag-off & 8191 != 0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fragments Packets"
		iifname $int_if ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "NULL Packets"
		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | syn) == fin | syn limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "XMAS Packets"
		iifname $int_if tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | ack) == fin limit rate 5/minute burst 7 packets counter packets 0 bytes 0 log prefix "Fin Packets Scan"
		iifname $int_if tcp flags & (fin | ack) == fin counter packets 0 bytes 0 drop
		iifname $int_if tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack | urg counter packets 0 bytes 0 drop
		iifname $int_if tcp dport 137-139 counter packets 0 bytes 0 reject
		iifname $int_if udp dport 137-139 counter packets 0 bytes 0 reject
		icmp type source-quench counter packets 0 bytes 0 accept
		tcp dport ssh ct state new counter packets 0 bytes 0 accept
		udp dport ntp ct state new counter packets 0 bytes 0 accept
		udp dport bootpc ct state new counter packets 0 bytes 0 accept
		tcp dport http ct state new counter packets 0 bytes 0 accept
		icmp type echo-request ct state established,related,new counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 log
		counter packets 0 bytes 0 drop
	}

	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		limit rate 3/minute counter packets 0 bytes 0 log prefix "SFW2-FWD-ILL-ROUTING " flags tcp options flags ip options
		counter packets 0 bytes 0 log
	}

	chain OUTPUT {
		type filter hook output priority 0; policy drop;
		oifname "lo" counter packets 0 bytes 0 accept
		ip protocol tcp ct state established,new counter packets 0 bytes 0 accept
		ip protocol udp ct state established,new counter packets 0 bytes 0 accept
		ip protocol icmp ct state established,new counter packets 0 bytes 0 accept
		icmp type echo-request counter packets 0 bytes 0 accept
		icmp type echo-reply ct state established,related counter packets 0 bytes 0 accept
	}

	chain LOGDROP {
		counter packets 0 bytes 0 log
		counter packets 0 bytes 0 drop
	}
}


table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}