Final nftables ScriptΒΆ
For your reference here is the final and full /etc/nftables.conf script to transparently redirect all outbound HTTP and HTTPS traffic to Squid instance running on Debian 12 gateway machine.
#!/usr/sbin/nft -f
flush ruleset
define wan_if=ens32
define lan_if=ens33
table inet filter {
#
# packets originated from this machine itself
#
chain output {
# what is priority filter? use 100?
type filter hook output priority filter; policy accept;
}
#
# packets sent to this machine ifself
#
chain input {
# drop all incoming packets by default
type filter hook input priority 0; policy drop;
# allow icmp
icmp type echo-request limit rate 5/second accept
# accept all established and related
ct state related,established accept
# accept all from localhost
iifname lo accept
# uncomment this to block quic protocol from lan
udp dport { 80, 443 } reject with icmpx port-unreachable
# accept all from lan
iifname $lan_if accept
# allow connections from outside for ssh
tcp dport ssh accept
# drop all other connections from wan
iifname $wan_if drop
}
#
# packets sent to the internet through this machine
#
chain forward {
# drop all packets by default
type filter hook forward priority 0; policy drop;
# accept packets from lan to wan
iifname $lan_if oifname $wan_if accept
# accept packets from wan into lan for established or related connections
iifname $wan_if oifname $lan_if ct state related,established accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect HTTP to locally installed Squid instance
tcp dport 80 redirect to :3126
# redirect HTTPS to locally installed Squid instance
tcp dport 443 redirect to :3127
}
# enable nat for all packets going to the intenet through wan
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $wan_if masquerade
}
}