*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
{% if firewall_raw is defined %}
{%   for rule in firewall_raw %}
{{ rule }}
{%   endfor %}
{% endif %}
{% for rule in firewall_in %}
{%   if rule.from is defined %}
{%     for from in rule.from %}
{%       if not from | ipv4 and not from | ipv6 %}
{%         set from = lookup('dig', from) %}
{%       endif %}
{%       if from | ipv4 %}
-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} -s {{ from }} --dport {{ rule.port }} -j ACCEPT
{%       endif %}
{%     endfor %}
{%   else %}
-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} --dport {{ rule.port }} -j ACCEPT
{%   endif %}
{% endfor %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT