configpolicy/roles/dch-gw/templates/forward.nft.j2

{#- vim: set sw=4 ts=4 sts=4 et : #}
table inet filter {
    set domain_controllers {
        type ipv4_addr
        elements = {
            dc0.pyrocufflink.blue,
            dc1.pyrocufflink.blue,
        }
    }

    set vpn_subnets {
        type ipv4_addr
        flags interval
        elements = {
            172.31.0.64/28,
{% for prefix in firemon_networks %}
            {{ prefix }},
{% endfor %}
        }
    }

    chain forward {
        ct state established,related accept
        iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
        iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
        iifname {{ dch_networks.mgmt.router_iface }} ip daddr @domain_controllers udp dport { ntp, radius } counter accept
        iifname {{ dch_networks.mgmt.router_iface }} counter drop
        iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
        iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
        iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
        tcp dport smtp counter reject with icmpx type host-unreachable
        oif {{ internet_iface }} accept
    }
}