#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0
		policy drop
		ct state established accept
		ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
		ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		tcp dport { 22, 443, 64738 } accept
		udp dport { 443, 64738 } accept
		reject
	}
	chain forward {
		type filter hook forward priority 0
		policy drop
		reject
	}
	chain output {
		type filter hook output priority 0
		policy accept
	}
}

table ip nat {
	chain prerouting {
		type nat hook prerouting priority 0
		tcp dport 443 redirect to :64738
		udp dport 443 redirect to :64738
	}
	chain postrouting {
		type nat hook postrouting priority 0
	}
}

table ip6 nat {
	chain prerouting {
		type nat hook prerouting priority 0
		tcp dport 443 redirect to :64738
		udp dport 443 redirect to :64738
	}
	chain postrouting {
		type nat hook postrouting priority 0
	}
}