table ip ipfilter {
	chain prerouting {
		type filter hook prerouting priority filter; policy drop;
		icmp type echo-reply accept
		ct state established,related accept
		icmp type echo-request iif "enp0s9" ip daddr 172.16.0.1-172.16.0.254 accept
		icmp type echo-request iif "enp0s9" ip daddr 10.0.0.254 accept
		tcp dport 20 accept
		tcp dport 21 accept
		tcp dport { 80, 443 } accept
		tcp dport 22 accept
		ip saddr 10.121.38.1 tcp dport { 80, 443 } accept
	}

	chain system_in {
		type filter hook input priority filter; policy drop;
		icmp type echo-reply accept
		icmp type echo-request iif "enp0s9" accept
		ct state established,related accept
		tcp dport 20 accept
		tcp dport 21 accept
		tcp dport { 80, 443 } accept
		tcp dport 22 accept
		ip saddr 10.121.38.1 tcp dport { 80, 443 } accept
	}

	chain routing {
		type filter hook forward priority filter; policy drop;
		icmp type echo-request iif "enp0s9" oif "enp0s8" accept
		icmp type echo-reply iif "enp0s8" oif "enp0s9" accept
	}

	chain system_out {
		type filter hook output priority filter; policy drop;
		ip daddr { 10.121.38.7, 10.121.38.8 } accept
		ip daddr 10.121.38.1 tcp dport 8080 accept
		icmp type echo-reply oif "enp0s9" accept
		icmp type echo-request accept
		tcp dport 20 accept
		tcp sport 20 accept
		tcp dport 21 accept
		tcp sport 21 accept
		tcp dport { 80, 443 } accept
		tcp sport { 80, 443 } accept
		tcp sport 22 accept
	}

	chain postrouting {
		type filter hook postrouting priority filter; policy drop;
		ip daddr { 10.121.38.7, 10.121.38.8 } accept
		ip daddr 10.121.38.1 tcp dport 8080 accept
		icmp type echo-request ip saddr { 10.0.0.254, 172.16.0.254, 192.168.0.120 } accept
		icmp type echo-reply iif "enp0s8" oif "enp0s9" accept
		icmp type echo-request iif "enp0s9" oif "enp0s8" accept
		icmp type echo-request ip saddr 10.0.0.254 oif "enp0s9" accept
		tcp dport 20 accept
		tcp sport 20 accept
		tcp dport 21 accept
		tcp sport 21 accept
		tcp dport { 80, 443 } accept
		tcp sport { 80, 443 } accept
		tcp sport 22 accept
	}

	chain nat_prerouting {
		type nat hook prerouting priority filter; policy drop;
		tcp dport { 80, 443 } accept
		tcp dport 22 accept
	}
	chain nat_postrouting {
		type nat hook postrouting priority filter; policy drop;
		tcp dport { 80, 443 } accept
		tcp sport { 80, 443 } accept
		tcp sport 22 accept
	}
}