@def $DEV_VPN= wg0;

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local connections
        interface lo ACCEPT;

        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;
        # disallow ssh
        proto tcp dport ssh ACCEPT;
  
    }#FIN INPUT

    # outgoing connections are not limited
    chain OUTPUT {
        policy ACCEPT;
        # allow ssh
        proto tcp dport ssh DROP; 
        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;

     }#FIN OUTPUT

    chain FORWARD {
        policy ACCEPT;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # connections from the internal net to the internet or to other
        # internal nets are allowed
        interface $DEV_VPN ACCEPT;

        # the rest is dropped by the above policy
    }#FIN FO
}