flush ruleset

define wan_iface = "enp1s0"

table inet filter {
  chain inbound_wan {
    icmp type echo-request limit rate 5/second accept
    tcp dport { 22, 80, 443 } accept
    udp dport { 12345 } accept
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    icmpv6 type echo-request limit rate 5/second accept
  }

  chain input {
    type filter hook input priority 0
    policy drop

    ct state vmap { invalid : drop, established : accept, related : accept }

    iifname vmap { lo : accept, $wan_iface: jump inbound_wan }
  }

  chain forward {
    type filter hook forward priority 0
    policy drop

    ct state vmap { established : accept, related : accept, invalid : drop }
  }
}