router/nftables

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport 22 accept
		accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table ip io.systemd.nat {
	set masq_saddr {
		type ipv4_addr
		flags interval
		elements = { 10.0.0.0/24 }
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv4_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip saddr @masq_saddr masquerade
	}
}
table ip6 io.systemd.nat {
	set masq_saddr {
		type ipv6_addr
		flags interval
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv6_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip6 saddr @masq_saddr masquerade
	}
}
Basics are working 2021-07-09 17:21:45 -05:00			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority filter; policy accept;`
			`ct state { established, related } accept`
			`ct state invalid drop`
			`iifname "lo" accept`
			`ip protocol icmp accept`
			`meta l4proto ipv6-icmp accept`
			`tcp dport 22 accept`
			`accept`
			`}`

			`chain forward {`
			`type filter hook forward priority filter; policy accept;`
			`accept`
			`}`

			`chain output {`
			`type filter hook output priority filter; policy accept;`
			`}`
			`}`
			`table ip io.systemd.nat {`
			`set masq_saddr {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 10.0.0.0/24 }`
			`}`

			`map map_port_ipport {`
			`type inet_proto . inet_service : ipv4_addr . inet_service`
			`}`

			`chain prerouting {`
			`type nat hook prerouting priority dstnat + 1; policy accept;`
			`fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport`
			`}`

			`chain output {`
			`type nat hook output priority -99; policy accept;`
			`ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport`
			`}`

			`chain postrouting {`
			`type nat hook postrouting priority srcnat + 1; policy accept;`
			`ip saddr @masq_saddr masquerade`
			`}`
			`}`
			`table ip6 io.systemd.nat {`
			`set masq_saddr {`
			`type ipv6_addr`
			`flags interval`
			`}`

			`map map_port_ipport {`
			`type inet_proto . inet_service : ipv6_addr . inet_service`
			`}`

			`chain prerouting {`
			`type nat hook prerouting priority dstnat + 1; policy accept;`
			`fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport`
			`}`

			`chain output {`
			`type nat hook output priority -99; policy accept;`
			`ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport`
			`}`

			`chain postrouting {`
			`type nat hook postrouting priority srcnat + 1; policy accept;`
			`ip6 saddr @masq_saddr masquerade`
			`}`
			`}`