% # run it like this: `erb ports='[]' iptables.erb | iptables-restore`
% # NOTE: it discards docker iptable rules
*filter

-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-1

# don't restrict output at all
-A OUTPUT -j ACCEPT

# allow all loopback
-A INPUT -i lo -j ACCEPT
-A FORWARD -i lo -j ACCEPT

# allow all established
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow wireguard
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER-USER -i wg0 -j ACCEPT

# allow all docker
-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1

% require 'json'
% prts = [22, 80, 443] + JSON.parse(ports)
# apply it with `iptables-restore < ./iptables`

# allow all loopback
-A INPUT -i lo -j ACCEPT

# custom ports
% prts.each { |port|
%   ['tcp', 'udp'].each { |proto|
-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT
-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT
-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT
%   }

% }
%
# disallow all other
-A INPUT -j DROP
-A FORWARD -j DROP
-A DOCKER-USER -j DROP

COMMIT