table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp ACCEPT;

        # allow IPsec
        #proto udp dport 500 ACCEPT;
        #proto (esp ah) ACCEPT;

        # allow (SSH) connections
        proto tcp
        saddr (10.32.0.0/15 127.0.0.0/8 91.219.244.0/22 193.86.95.165)
        dport (https ssh 8006 3128 5900:5999)
        ACCEPT;

    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}