#!/sbin/nft -f

flush ruleset

table ip myfilter {
        chain myinput {
                type filter hook input priority 0; policy drop;
                ct state established accept
                tcp dport ssh accept
                tcp dport 53 accept
                udp dport 53 accept
                ip protocol icmp accept
                iif "lo" accept
                ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
                ip saddr { 192.168.0.10, 192.168.0.11 } tcp dport {ntp,ldap,ldaps,88,445,464,3268} accept
                ip saddr { 192.168.0.10, 192.168.0.11 } udp dport {ntp,ldap,ldaps,88,445,464,3268} accept
                ip saddr 172.20.10.30 tcp dport { 5556, 5666 } accept
                ip saddr 172.20.10.30 udp dport snmp accept
                tcp dport {2181, 9092} accept

        }

        chain myoutput {
                type filter hook output priority 0; policy drop;
                ct state established accept
                tcp dport ssh accept
                tcp dport 53 accept
                udp dport 53 accept
                udp dport snmp accept
                tcp dport 5666 accept
                tcp dport {2181, 9092} accept
                tcp dport { http, https } accept
                ip protocol icmp accept
                ip daddr { 192.168.0.10, 192.168.0.11 } tcp dport {ntp,ldap,ldaps,88,445,464,3268} accept
                ip daddr { 192.168.0.10, 192.168.0.11 } udp dport {ntp,ldap,ldaps,88,445,464,3268} accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        }
}