infrastructure/ansible/roles/ingress/files/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        ct state {established, related} counter accept

        iif lo accept

        # Allow ICMP (pings)
        ip protocol icmp accept
        meta l4proto icmpv6 accept

        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept

        # Allow nebula
        udp dport {{ nebula_listen_port }} accept;

        # Allow Tailscale
        udp dport {{ tailscale_port }} accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat
        policy accept

        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
        ip saddr {{ tailscale_cidr }} counter masquerade
    }

    chain FORWARD {
        type filter hook forward priority mangle
        policy drop

        # Allow traffic from nebula to proxmox network
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept

        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept

        # Allow Tailscale exit node
        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
        ip saddr {{ tailscale_cidr }} accept
        ip daddr {{ tailscale_cidr }} ct state related,established accept
    }
}