router/nftables.conf

define WAN = wan0
define LAN = lan0

define ROUTER_TCP_PORTS = { 22 }
define ROUTER_UDP_PORTS = { 546, 53, 67 }
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
# define FACELESS_UDP_PORTS = { }
define DRAGON_TCP_PORTS = { 2221 }
# define DRAGON_UDP_PORTS = { }

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lo" accept
		ct state invalid drop
		ct state { established, related } accept
		ip protocol icmpv6 accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport $ROUTER_TCP_PORTS accept
		udp dport $ROUTER_UDP_PORTS accept
		drop
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
		accept
	}
}

table ip nat {
	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
		oifname $LAN masquerade
	}

	chain prerouting {
		type nat hook prerouting priority -100; policy accept;

		# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25

		iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25
		# iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25
		iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25

		iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10
		# iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10
		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10

		iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
	}
}

table ip6 filter {
	chain input {

		type nat hook postrouting priority 100; policy accept;
		oifname $LAN masquerade
		type nat hook postrouting priority 100; policy accept;
		oifname $LAN masquerade
prerouting
	}

	chain forward {
		type nat hook prerouting priority -100; policy accept;

		# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25

		iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25
		# iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25
		iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25

		iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10
		# iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10
		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10

		iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
	}

	chain output {
	}
}

# the following two blocks were generated by restarting systemd-networkd and
# dumping nftables

# nat ipv4 for lan
table ip io.systemd.nat {
	set masq_saddr {
		type ipv4_addr
		flags interval
		elements = { 10.0.0.0/24 }
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv4_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip saddr @masq_saddr masquerade
	}
}

table ip6 io.systemd.nat {
	set masq_saddr {
		type ipv6_addr
		flags interval
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv6_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip6 saddr @masq_saddr masquerade
	}
}