table inet filter {
  chain forward {
    type filter hook forward priority filter
    policy drop


    iifname eno1 accept

    ct state {established, related} accept

    meta l4proto ipv6-icmp accept
    meta l4proto icmp accept
    meta l4proto igmp accept


    log prefix "drop forward:"
    counter
  }

  chain input {
    type filter hook input priority filter
    policy drop


    iifname lo accept
    iif != lo ip daddr 127.0.0.1/8 counter drop
    iif != lo ip6 daddr ::1/128 counter drop

    ct state {established, related} accept

    tcp dport 22 accept
    udp dport 51820 accept
    udp dport 60000-61000 accept

    meta l4proto ipv6-icmp accept
    meta l4proto icmp accept
    meta l4proto igmp accept

    log prefix "drop input:"
    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept

    counter
  }
}

table ip nat {
  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept

    oifname dsl counter masquerade

    counter
  }
}

table inet mangle {
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept

    oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu

    counter
  }
}