#!/usr/sbin/nft -f

table inet fw_static {

  chain input {
    type filter hook input priority 0;
    policy drop;

    iif "lo" accept
    ct state established,related accept

    # Public: ICMP (optional)
$ICMP_PUBLIC_IN_RULES

    # Public: SSH IN (optional)
$SSH_PUBLIC_IN_RULE

    # Private network (in)
    iif "$PRIV_IF" ip saddr $PRIV_NET accept
  }

  chain output {
    type filter hook output priority 0;
    policy drop;

    oif "lo" accept
    ct state established,related accept

   # Public: ICMP (optional)
$ICMP_PUBLIC_OUT_RULES

    # Public: APT OUT (optional) - includes DNS + HTTP/HTTPS
$APT_PUBLIC_OUT_RULES

    # Private network (out)
    oif "$PRIV_IF" ip daddr $PRIV_NET accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }
}