# This file is managed by Saltstack. (State {{ STATE }})

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

{% for port in ALLOWED_PORTS %}
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}

COMMIT