#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0 policy drop ct state {established, related} counter accept iif lo accept # Allow ICMP (pings) ip protocol icmp accept meta l4proto icmpv6 accept tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept # Allow nebula udp dport {{ nebula_listen_port }} accept; # Allow Tailscale udp dport {{ tailscale_port }} accept; } chain POSTROUTING { type nat hook postrouting priority srcnat policy accept # NAT - because the proxmox machines may not have routes back ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade ip saddr {{ tailscale_cidr }} counter masquerade } chain FORWARD { type filter hook forward priority mangle policy drop # Allow traffic from nebula to proxmox network ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept # Allow monitoring of nebula network ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept # Allow Tailscale exit node ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop ip saddr {{ tailscale_cidr }} accept ip daddr {{ tailscale_cidr }} ct state related,established accept } }