router/nftables

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		udp dport 546 accept
		udp dport 53 accept
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		tcp dport 22 accept
		accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table ip io.systemd.nat {
	set masq_saddr {
		type ipv4_addr
		flags interval
		elements = { 10.0.0.0/24 }
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv4_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip saddr @masq_saddr masquerade
	}
}
table ip6 io.systemd.nat {
	set masq_saddr {
		type ipv6_addr
		flags interval
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv6_addr . inet_service
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		ip6 saddr @masq_saddr masquerade
	}
}