PATH=/sbin:/bin:/usr/sbin:/usr/bin

my_ip() {
   MYIP=$1

   # Allow everything from this host
   nft add rule ip filter input ip saddr $MYIP accept

   # Allow ICMP
   nft add rule ip filter input ip daddr $MYIP accept

   # Allow ports >1024
   nft add rule ip filter input ip daddr $MYIP tcp dport 1024-65535 tcp flags \& syn != syn accept
   nft add rule ip filter input ip daddr $MYIP udp dport 1024-65535 accept
}

start_firewall() {
   # Allow everything from localhost
   nft add rule ip filter input ip saddr 127.0.0.1 accept

   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
   nft add rule ip filter input tcp dport 2049 drop
   nft add rule ip filter input udp dport 2049 drop
   nft add rule ip filter input tcp dport 6000-6063 drop
   nft add rule ip filter input udp dport 6000-6063 drop

   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
   nft add rule ip filter input tcp dport 22 accept
   nft add rule ip filter input tcp dport 25 accept
   nft add rule ip filter input tcp dport 53 accept
   nft add rule ip filter input udp dport 53 accept
   nft add rule ip filter input udp sport 53 udp dport 1024-65535 accept
   nft add rule ip filter input tcp dport 80 accept
   nft add rule ip filter input tcp dport 113 accept
   nft add rule ip filter input tcp dport 123 accept
   nft add rule ip filter input udp dport 123 accept
   nft add rule ip filter input tcp dport 137-139 accept
   nft add rule ip filter input udp dport 137-139 accept
   nft add rule ip filter input tcp dport 443 accept
   nft add rule ip filter input tcp dport 445 accept
   nft add rule ip filter input udp dport 1194 accept
   nft add rule ip filter input tcp dport 9418 accept

   # FTP
   nft add rule ip filter input tcp dport 20 accept
   nft add rule ip filter input tcp dport 21 accept
   # Allow ftp-data for active connections
   #nft add rule ip filter input tcp sport 20 tcp dport 1024-65535 accept

   # Track FTP connections to allow active and passive mode FTP
   nft add rule ip filter input tcp sport 20 ct state established,related accept
   nft add rule ip filter input tcp dport 20 ct state established,related accept
   nft add rule ip filter input tcp sport 21 ct state new,established accept
   nft add rule ip filter input tcp dport 21 ct state established,related accept
   nft add rule ip filter input tcp sport 1024-65535 ct state established,related accept
   nft add rule ip filter input tcp dport 1024-65535 ct state established,related accept

   MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
   for ip in $MY_IP; do my_ip "$ip"; done
}