table inet nixos-fw { chain rpfilter { type filter hook prerouting priority mangle + 10; policy drop; meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" fib saddr . mark . iif oif exists accept } chain input { type filter hook input priority filter; policy drop; iifname "lo" accept comment "trusted interfaces" ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info } chain input-allow { tcp dport 22 accept tcp dport 5432 accept comment "PostgreSQL server" tcp dport 6443 accept comment "k3s" icmp type echo-request accept comment "allow ping" icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4." ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client" } chain forward-allow { type filter hook forward priority filter; policy drop; ip daddr 192.168.30.0/24 accept } }