*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept any packets which are associated with a connection
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept new udp packets on port 51820 for the Wireguard VPN
-A INPUT -p udp --dport 51820 -j ACCEPT
# Accept new tcp packets on port 80 for the web interface on the local lan
-A INPUT -s 10.0.0.0/24 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# Accept new tcp packets on port 22 for SSH on the local lan
-A INPUT -s 10.0.0.0/24 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Accept packets on port 53 for DNS on the local lan
-A INPUT -s 10.0.0.0/24 -p udp --dport 53 -j ACCEPT
-A INPUT -s 10.0.0.0/24 -p tcp --dport 53 -j ACCEPT
# Accept broadcast packets on port 67 for DHCP
-A INPUT -s 0.0.0.0 -p udp --dport 67 -j ACCEPT
# Accept anything from localhost
-A INPUT -i lo -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT