PATH=/sbin:/bin:/usr/sbin:/usr/bin

my_ip() {
   MYIP=$1

   # Allow everything from this host
   nft add rule ip filter input saddr $MYIP counter accept

   # Allow ICMP
   nft add rule ip filter input daddr $MYIP proto icmp counter accept

   # Allow ports >1024
   nft add rule ip filter input daddr $MYIP dport 1024- proto tcp tcp flags & syn != syn counter accept
   nft add rule ip filter input daddr $MYIP dport 1024- proto udp counter accept
}

start_firewall() {
   # Allow everything from localhost
   nft add rule ip filter input saddr 127.0.0.1 counter accept

   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
   nft add rule ip filter input dport 2049 proto tcp counter drop
   nft add rule ip filter input dport 2049 proto udp counter drop
   nft add rule ip filter input dport 6000-6063 proto tcp counter drop
   nft add rule ip filter input dport 6000-6063 proto udp counter drop

   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
   nft add rule ip filter input dport 22 proto tcp counter accept
   nft add rule ip filter input dport 25 proto tcp counter accept
   nft add rule ip filter input dport 53 proto tcp counter accept
   nft add rule ip filter input dport 53 proto udp counter accept
   nft add rule ip filter input sport 53 dport 1024- proto udp counter accept
   nft add rule ip filter input dport 80 proto tcp counter accept
   nft add rule ip filter input dport 113 proto tcp counter accept
   nft add rule ip filter input dport 123 proto tcp counter accept
   nft add rule ip filter input dport 123 proto udp counter accept
   nft add rule ip filter input dport 137-139 proto tcp counter accept
   nft add rule ip filter input dport 137-139 proto udp counter accept
   nft add rule ip filter input dport 443 proto tcp counter accept
   nft add rule ip filter input dport 445 proto tcp counter accept
   nft add rule ip filter input dport 1194 proto udp counter accept
   nft add rule ip filter input dport 9418 proto tcp counter accept

   # FTP
   nft add rule ip filter input dport 20 proto tcp counter accept
   nft add rule ip filter input dport 21 proto tcp counter accept
   # Allow ftp-data for active connections
   #nft add rule ip filter input sport 20 dport 1024- proto tcp counter accept

   # Track FTP connections to allow active and passive mode FTP
   nft add rule ip filter input sport 20 proto tcp ct mstate state state state established,related counter accept
   nft add rule ip filter input dport 20 proto tcp ct mstate state state state established,related counter accept
   nft add rule ip filter input sport 21 proto tcp ct mstate state state state new,established counter accept
   nft add rule ip filter input dport 21 proto tcp ct mstate state state state established,related counter accept
   nft add rule ip filter input sport 1024-65535 proto tcp ct mstate state state state established,related counter accept
   nft add rule ip filter input dport 1024-65535 proto tcp ct mstate state state state established,related counter accept

   MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
   for ip in $MY_IP; do my_ip "$ip"; done
}