flush ruleset

define wan = eth0
define vpn = wg0
define vpn_net = 10.0.0.0/24
define lan_net = 192.168.2.0/24

# Without the nd-* ones ipv6 will not work.
define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }

define lan_clients = { 10.0.0.3 }

table inet firewall {
  chain postrouting {
    type nat hook postrouting priority 100;

    # Masquerade WireGuard VPN traffic to LAN subnet
    oifname $wan ip saddr $vpn_net masquerade
  }

  chain incoming {
    # This line set what traffic the chain will handle, the priority and default policy.
    # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
    type filter hook input priority 0; policy drop;

    ct state invalid drop                                 # early drop of invalid packets
    ct state {established, related} accept                # allow established/related connections

    iif lo accept                                         # allow traffic from loopback interface

    # Limit and accept ICMP packets
    ip protocol icmp icmp type $allowed_icmp limit rate 1/second burst 5 packets accept
    ip6 nexthdr icmpv6 icmpv6 type $allowed_icmpv6 limit rate 1/second burst 5 packets accept

    # Rules for all interfaces
    tcp dport { 80, 443 } accept                          # Allow http and https for all interfaces
    udp dport 443 accept                                  # Allow quic (http/3) for all interfaces

    # Rules for WAN interface only
    iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute
    iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN

    # Rules for VPN interface only
    iifname $vpn udp dport 53 accept                      # Allow DNS traffic from VPN
  }

  chain forward {
    type filter hook forward priority 0; policy drop;

    ct state invalid drop                                 # early drop of invalid packets
    ct state {established, related} accept                # allow established/related connections

    iifname $vpn ip saddr $lan_clients ip daddr $lan_net accept # Allow specific clients to access the LAN network
    iifname $vpn ip daddr $lan_net drop                   # Block all other VPN clients from accessing the LAN network 
    
    iifname $vpn oifname $wan accept                      # Allow VPN traffic to access WAN
  }

  chain outgoing {
    type filter hook output priority 0; policy accept;
  }
}