# {{ ansible_managed }}
# vim:set ts=2 sw=2 et:

flush ruleset

table ip filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept

    iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH"
    iifname "{{ network_interface }}" tcp dport {{ gitlab_ssh_port }} accept comment "Gitlab SSH"
    iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
    iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission"

    iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
    iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"

    iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
    iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
    iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
    iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD"
    iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"

    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"

    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery"

    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery"
  }
}