🎉 First working proof of concept

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

firewall/nat.conf

@@ -0,0 +1,16 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority 0; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority 0; policy accept;
+
+        ip saddr 10.2.1.0/30 masquerade;
+        ip saddr 172.17.0.0/16 masquerade;
+    }
+}

firewall/restrict-http.conf

@@ -0,0 +1,17 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain forward {
+		type filter hook forward priority 0; policy accept
+                tcp dport { 80 } reject;
+                accept
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}