# CONFIGURED BY ANSIBLE

define nic = eth0

table inet filter
flush table inet filter
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;

                iif lo accept
                iif != lo ip daddr 127.0.0.0/8 reject
                iif != lo ip6 daddr ::1 reject

                ip protocol icmp accept
                ip6 nexthdr ipv6-icmp accept
                ip protocol vrrp ip daddr 224.0.0.0/8 accept

                # PRIMARY NSD
                iif $nic udp dport 53 accept
                iif $nic tcp dport 53 accept

                # POSTFIX
                iif $nic tcp dport 25 accept
                iif $nic tcp dport 465 accept

                # NGINX
                iif $nic tcp dport 80 accept
                iif $nic tcp dport 443 accept

                # OPENSSH & DROPBEAR
                iif $nic tcp dport 2222 accept
                iif $nic tcp dport 2223 accept

                # GITEA - OPENSSH
                iif $nic tcp dport 22222 accept

                # DOVECOT
                iif $nic tcp dport 993 accept

                iif $nic ct state established,related accept
                iif $nic drop
        }

        # DOCKER --> accept
        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}