table inet firewall {
  chain input {
    # Drop all traffic by default.
    type filter hook input priority filter; policy drop;
    # Allow traffic from established connections, drop invalid.
    ct state vmap { established: accept, related: accept, invalid: drop }
    # Allow ping.
    icmp type echo-request accept
    # Allow loopback traffic.
    iifname lo accept
    # Allow
    # - ssh, http and https (for mugam itself)
    # - mumble for ragulkanth (5033)
    # - ssh for ragulkanth (10101)
    tcp dport {ssh, http, https, 5033, 10101} accept
    # Allow dns and wireguard.
    udp dport {domain, 51820} accept
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority dstnat;
    # Forward ports to various services.
    # E-mail
    iifname eth0 tcp dport smtp dnat to $hrrol:8025
    iifname eth0 tcp dport pop3s dnat to $hrrol:8995
    iifname eth0 tcp dport smtps dnat to $hrrol:8465
    iifname eth0 tcp dport submission dnat to $hrrol:8587
    # XMPP
    iifname eth0 tcp dport {xmpp-client, xmpp-server} dnat to $hrrol
  }
  chain postrouting {
    type nat hook postrouting priority srcnat;
    # For all packets to and from the VPN and the WAN, replace source
    # address with public IP of WAN interface.
    oifname {eth0, wg0} masquerade
  }
}