flush ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; ct state { established, related } accept ct state invalid drop iifname "lo" accept ip protocol icmp accept meta l4proto ipv6-icmp accept tcp dport 22 accept accept } chain forward { type filter hook forward priority filter; policy accept; accept } chain output { type filter hook output priority filter; policy accept; } } table ip io.systemd.nat { set masq_saddr { type ipv4_addr flags interval elements = { 10.0.0.0/24 } } map map_port_ipport { type inet_proto . inet_service : ipv4_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority -99; policy accept; ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip saddr @masq_saddr masquerade } } table ip6 io.systemd.nat { set masq_saddr { type ipv6_addr flags interval } map map_port_ipport { type inet_proto . inet_service : ipv6_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority -99; policy accept; ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip6 saddr @masq_saddr masquerade } }