table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid drop comment "drop invalid packets"
        ct state established,related accept comment "accept related connections"
        iif lo accept
        iif != lo ip daddr 127.0.0.1/8 drop
        iif != lo ip6 daddr ::1/128 drop
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        udp dport domain ip saddr 172.16.0.0/12 accept
        tcp dport 3000 ip saddr 127.0.0.1/8 accept
        tcp dport 8000 ip saddr 127.0.0.1/8 accept
        tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
        tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
        udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state established,related accept
    }

    chain output {
        type filter hook output priority 0; policy drop;
        ct state established,related accept
        icmp type echo-request accept
        icmp type echo-reply accept
        ip daddr 127.0.0.0/8 accept
        ip6 daddr ::1 accept
        udp dport domain accept
        tcp dport 853 accept comment "DNS over TLS"
        udp dport 853 accept comment "DNS over TLS"
        tcp dport http accept
        tcp dport https accept
        udp dport https accept
        tcp dport ssh accept
        tcp dport bootps accept
        udp dport bootps accept
        tcp dport ntp accept
        udp dport ntp accept
        tcp dport nntps accept
        udp dport nntps accept
        tcp dport submission accept
        tcp dport imaps accept
        tcp dport 2222 accept
        tcp dport hkp accept
        udp dport hkp accept
        tcp dport 9100 accept
        tcp dport git accept
        udp dport git accept
        tcp dport rsync accept
        udp dport rsync accept
        tcp dport 8000 accept
        tcp dport http-alt accept
        udp dport openvpn accept
        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept
        tcp dport 5222 accept comment "XMPP"
        tcp dport 6697 accept comment "IRC"
        tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
        udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
        tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
        udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
        udp dport 19302-19309 accept comment "Google Meet Ports"
        tcp dport 1714-1764 accept comment "KDEConnect"
        udp dport 1714-1764 accept comment "KDEConnect"
        udp dport 51820 accept comment "WireGuard"
    }
}