define sshclient = 192.168.56.1
define foo = 2.2.2.2
define localnet = 192.168.1.0/24
define allowed_ssh_hosts = { $sshclient, $foo, $localnet }

define sshport = 22
define httpport = 999

flush table filter
delete table filter

table filter {
	
	chain input {
		hook NF_INET_LOCAL_IN 0

		ct state related,established accept
		#ip saddr { $sshclient, $foo, $localnet } tcp dport $sshport ct state new accept
		ip saddr $allowed_ssh_hosts tcp dport $sshport ct state new accept
		ip saddr $sshclient tcp dport $httpport ct state new accept
		drop
	}

	chain output {
		hook NF_INET_LOCAL_OUT 0
		ct state related,established accept
		drop
	}
}