*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Always allow loopback
-A INPUT -i lo -j ACCEPT

# Accept already established/related
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop invalid early
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow TCP ports from vars
{% for p in firewall_tcp_ports | default([]) %}
-A INPUT -p tcp --dport {{ p }} -j ACCEPT
{% endfor %}

# Allow UDP ports from vars
{% for p in firewall_udp_ports | default([]) %}
-A INPUT -p udp --dport {{ p }} -j ACCEPT
{% endfor %}

# add further custom rules below

COMMIT