flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    ip protocol icmp accept

    ct state {established, related} accept
    ct state invalid drop

    iifname lo accept
    iifname port0 accept
    iifname port1 accept

    reject
  }

  chain forward {
    type filter hook forward priority 0;

    iifname port0 jump forward_port0
    iifname port1 jump forward_port1
    iifname port2 jump forward_port2
  }
  chain forward_port0 {
    oifname port2 accept
    reject
  }
  chain forward_port1 {
    oifname port2 accept
    reject
  }
  chain forward_port2 {
    ct state related, established accept
    drop
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }

  chain postrouting {
    type nat hook postrouting priority 0;

    oifname port2 masquerade
  }
}