# -*- shell-script -*-

@def $DEV_VPN= wg0;

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local connections
        interface lo ACCEPT;
        interface $DEV_VPN{
        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;
        # disallow ssh
        saddr proto tcp dport ssh DROP;
        }
    }#FIN INPUT

    # outgoing connections are not limited
    chain OUTPUT {
        policy ACCEPT;
        interface $DEV_VPN{
        # allow ssh
        daddr proto tcp dport ssh ACCEPT;
        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;
        }
     }#FIN OUTPUT

    chain FORWARD {
        policy ACCEPT;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # connections from the internal net to the internet or to other
        # internal nets are allowed
        interface $DEV_VPN ACCEPT;

        # the rest is dropped by the above policy
    }#FIN FO
}