table ip wg {}; delete table ip wg

table ip wg {
  chain input {
    type filter hook input priority filter; policy drop;
    ct state invalid               counter drop
    ct state {established,related} counter accept

    iif "lo"                  counter accept
    ip protocol {icmp,icmpv6} counter accept

    tcp dport $SSH_PORT counter accept comment "ssh"
    iif "$iface" udp dport 443 counter accept comment "wg"

    counter comment "dropped"
  }

  chain forward {
    type filter hook forward priority filter; policy drop;

    iif "wg0" counter accept
    oif "wg0" counter accept

    counter comment "dropped"
  }

  chain output {
    type filter hook output priority filter; policy accept;

    counter comment "accepted"
  }

  chain postrouting {
    type nat hook postrouting priority srcnat; policy drop;

    oif "$iface" counter masquerade
    oif "wg0"    counter masquerade

    counter comment "dropped"
  }
}