define nic = eth0

table inet filter
flush table inet filter
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;

                iif lo accept
                iif != lo ip daddr 127.0.0.0/8 reject
                iif != lo ip6 daddr ::1 reject

                ip protocol icmp accept
                ip6 nexthdr ipv6-icmp accept
                ip protocol vrrp ip daddr 224.0.0.0/8 accept

                # BACKUP NSD
                iif $nic udp dport 53 accept
                iif $nic tcp dport 53 accept

                # NGINX
                iif $nic tcp dport 80 accept
                iif $nic tcp dport 443 accept

                # OPENSSH
                iif $nic tcp dport 2222 accept

                iif $nic ct state established,related accept
                iif $nic drop
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}