*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow established and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow all traffic on Nebula interface (encrypted overlay)
-A INPUT -i nebula1 -j ACCEPT

# ============================================================
# Bridge network rules (192.168.100.0/24)
# Only allow Proxmox host - block all other VMs on the bridge
# ============================================================

# Allow Proxmox host for management/Ansible
-A INPUT -s {{ proxmox_host_ip }} -j ACCEPT

# Allow Nebula UDP from lighthouse (required for overlay connectivity)
-A INPUT -s {{ lighthouse_bridge_ip }} -p udp --dport 4242 -j ACCEPT

# DROP everything else from bridge network (force Nebula for inter-VM)
-A INPUT -s {{ bridge_network }} -j DROP

# ============================================================
# Caddy-proxied ports (Nebula only - reverse proxy traffic)
# These ports are NOT public; only Caddy can reach them
# ============================================================

{% if caddy_proxied_ports_tcp is defined %}
# Web services proxied through Caddy (Nebula only)
{% for port in caddy_proxied_ports_tcp %}
-A INPUT -s {{ caddy_nebula_ip }} -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if caddy_proxied_ports_udp is defined %}
# UDP services proxied through Caddy (Nebula only)
{% for port in caddy_proxied_ports_udp %}
-A INPUT -s {{ caddy_nebula_ip }} -p udp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

# ============================================================
# Public-facing ports (for DNAT'd traffic from internet)
# ============================================================

{% if game_ports_tcp is defined %}
# Game server TCP ports (internet -> Proxmox DNAT -> VM)
{% for port in game_ports_tcp %}
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if game_ports_udp is defined %}
# Game server UDP ports (internet -> Proxmox DNAT -> VM)
{% for port in game_ports_udp %}
-A INPUT -p udp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

# ============================================================
# Default deny - drop everything not explicitly allowed
# ============================================================
-A INPUT -j DROP

COMMIT