{

  networking.firewall.enable = false;
  networking.nftables.enable = true;

  # fules for the firewall
  # beware of EOL conversion.
  networking.nftables.ruleset =
    ''
    # Check out https://wiki.nftables.org/ for better documentation.
    # Table for both IPv4 and IPv6.
    table ip nat {
    	chain prerouting {
    		type nat hook prerouting priority dstnat; policy accept;

    		# forward anything with port 2222 to this specific ip
    		# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22

    		# forward http/s traffic from 76 to 123
    		# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
    		# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
    	}

    	chain postrouting {
    		type nat hook postrouting priority srcnat; policy accept;

    		# the internal network
    		ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
    	}

    	chain output {
    		type nat hook output priority -100; policy accept;
    	}
    }

    table ip filter {
    	chain input {
    		type filter hook input priority filter; policy accept;
    		tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
    		tcp dport 22 counter packets 0 bytes 0 accept
    	}

    	chain forward {
    		type filter hook forward priority filter; policy drop;
    		counter packets 0 bytes 0 jump rejects

        # accept these ip/ports
    		# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept

    		counter packets 0 bytes 0 reject with icmp type admin-prohibited
    	}

    	chain output {
    		type filter hook output priority filter; policy accept;

    		# no outgoing limits (for now)
    	}

    	chain fail2ban-ssh {
    	  # ban these
    		# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
    		counter packets 0 bytes 0 return
    	}

    	chain rejects {
    	  # Reject all these
    		# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
    	}
    }
    '';


}