nftables.conf

#!/usr/sbin/nft -f

flush ruleset

define BRIDGE_IPS = 10.0.0.0/24

table inet filter {
	set my_ip {
		type ipv4_addr
		flags interval
	}
	set vm_addr {
		type ether_addr
	}
	set blacklist4_ip {
		type ipv4_addr
		timeout 24h
	}
	set blacklist6_ip {
		type ipv6_addr
		timeout 24h
	}
	set whitelist4_ip {
		type ipv4_addr
		flags interval
		elements = { 10.0.0.0/24 }
	}
	set whitelist6_ip {
		type ipv6_addr
	}
	chain input {
		type filter hook input priority 0
		ip saddr @blacklist4_ip drop
		ip6 saddr @blacklist6_ip drop
		iif lo accept
		ip saddr @whitelist4_ip accept
		ip6 saddr @whitelist6_ip accept
		ether saddr @vm_addr iifname br0 accept
 		counter jump input_forward
		ip daddr 255.255.255.255 drop
		ip saddr 255.255.255.255 drop
		ct state {established,related} accept
		udp sport 67 udp dport 68 accept # accept DHCP response
		ip daddr 224.0.0.0/8 drop
		ip daddr 0.0.0.0 drop
		counter jump mark_and_drop
	}
	chain forward {
		type filter hook forward priority 0
		meta protocol ip6 drop
		ip daddr @blacklist4_ip ip saddr @blacklist4_ip drop
		ip6 daddr @blacklist6_ip ip6 saddr @blacklist6_ip drop
		ip saddr @whitelist4_ip  accept
		ip6 saddr @whitelist6_ip  accept
		counter jump input_forward
		ether saddr @vm_addr accept
		oifname br0 ip daddr $BRIDGE_IPS accept
		counter jump mark_and_drop
	}
	chain output {
		type filter hook output priority 0
		meta protocol ip6 drop
		oif lo accept
		ip daddr @blacklist4_ip drop
		ip6 daddr @blacklist6_ip drop
		ip daddr @whitelist4_ip accept
		ip6 daddr @whitelist6_ip accept
		ip saddr @my_ip accept
		ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept # accept DHCP request
		ip daddr 224.0.0.0/8 drop
		counter jump mark_and_drop
	}
	chain input_forward {
		ct state invalid counter jump mark_and_drop
		tcp dport 5500-5600 counter jump mark_and_drop
		ct state new tcp flags != syn counter jump mark_and_drop
		tcp flags {0xFF,0x00,0xF0} counter jump mark_and_drop
	}
	chain mark_and_drop {
		meta protocol ip set add ip saddr @blacklist4_ip
		meta protocol ip6 set add ip6 saddr @blacklist6_ip
		log prefix "FIREWALL:BLACKLIST " level warn drop
	}
}

table nat {
	set my_ip {
		type ipv4_addr
		flags interval
	}
	set vm_ip {
		type ipv4_addr
		flags interval
	}

	chain preroute {
		type nat hook prerouting priority 0
	}

	chain post_routing {
		type nat hook postrouting priority 0
		ip saddr @vm_ip ip saddr != @my_ip log prefix "FIREWALL:NAT " level warn masquerade fully-random
	}
}

table bridge bfilter {

	chain input {
		type filter hook input priority 0
		ip saddr $BRIDGE_IPS accept
		ether type arp counter accept
	}


	chain forward {
		type filter hook forward priority 0
	}


	chain output {
		type filter hook output priority 0
		ip daddr $BRIDGE_IPS accept
	}

}