@def $subnet = 192.168.66.0/24;
@def $bridge = br0;
@def $internet = "enp2s0";
@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;

include 'ferm.d/functions';
include `find ferm.d/services/*`;

domain (ip ip6) {
  table nat {
    chain PREROUTING policy ACCEPT;
    chain POSTROUTING policy ACCEPT;
    chain INPUT policy ACCEPT;
    chain OUTPUT policy ACCEPT;
  }
  table filter {
    chain FORWARD {
      interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;

      # dn42 -> is filtered in dn42 container
      interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;

      interface $bridge outerface $internet ACCEPT;
    }
    chain (INPUT FORWARD) {
      policy DROP;
      interface lo ACCEPT;
      protocol icmp ACCEPT;
      protocol tcp dport 22 ACCEPT;
      mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;

      LOG log-prefix "iptables reject:";
      protocol tcp REJECT reject-with tcp-reset;
      REJECT reject-with icmp-port-unreachable;
    }
    chain OUTPUT policy ACCEPT;
  }
}
domain ip table nat {
  chain POSTROUTING outerface $internet MASQUERADE;
}