Final nftables ScriptΒΆ

For your reference here is the final and full /etc/nftables.conf script to transparently redirect all outbound HTTP and HTTPS traffic to Squid instance running on Debian 12 gateway machine.

#!/usr/sbin/nft -f

flush ruleset

define wan_if=ens32
define lan_if=ens33

table inet filter {

    # packets originated from this machine itself
    chain output {

        # what is priority filter? use 100?
        type filter hook output priority filter; policy accept;


    # packets sent to this machine ifself
    chain input {

        # drop all incoming packets by default
        type filter hook input priority 0; policy drop;

        # allow icmp
        icmp type echo-request limit rate 5/second accept

        # accept all established and related 
        ct state related,established accept

        # accept all from localhost
        iifname lo accept

        # uncomment this to block quic protocol from lan
        udp dport { 80, 443 } reject with icmpx port-unreachable

        # accept all from lan
        iifname $lan_if accept

        # allow connections from outside for ssh
        tcp dport ssh accept

        # drop all other connections from wan
        iifname $wan_if drop

    # packets sent to the internet through this machine
    chain forward {

        # drop all packets by default
        type filter hook forward priority 0; policy drop;

        # accept packets from lan to wan
        iifname $lan_if oifname $wan_if accept

        # accept packets from wan into lan for established or related connections
        iifname $wan_if oifname $lan_if ct state related,established accept


table ip nat {

    chain prerouting {
        type nat hook prerouting priority 0; policy accept;

        # redirect HTTP to locally installed Squid instance
        tcp dport 80 redirect to :3126

        # redirect HTTPS to locally installed Squid instance
        tcp dport 443 redirect to :3127

    # enable nat for all packets going to the intenet through wan
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname $wan_if masquerade