{ config, lib, pkgs, ... }: {
  networking.firewall.allowedUDPPorts = [
    3478  # Headscale DERP UDP
    10000 # Jitsi
  ];
  networking.firewall.allowedTCPPorts = [
    80    # HTTP
    443   # HTTPS
    25    # SMTP  (explicit TLS => STARTTLS)
    465   # ESMTP (implicit TLS)
    587   # ESMTP (explicit TLS => STARTTLS)
    143   # IMAP4 (explicit TLS => STARTTLS)
    993   # IMAP4 (implicit TLS)
    4190  # Sieve support
    42420 # Vintage Story
    25565 # Minecraft
    1443  # Headscale DERP
    4443  # jitsi-jvb
    5222  # Jitsi
    5347  # Jitsi
    5280  # Jitsi
  ];

  networking.firewall.extraCommands     = '' 
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    # TCP PORTS ##################################################################################################
    # PORT 80
    iptables -t nat -A PREROUTING  -p tcp --dport 80 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
    
    # PORT 443
    iptables -t nat -A PREROUTING  -p tcp --dport 443 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
    
    # PORT 25  
    iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
    
    # PORT 465 
    iptables -t nat -A PREROUTING  -p tcp --dport 465 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 465 -j MASQUERADE
    
    # PORT 587 
    iptables -t nat -A PREROUTING  -p tcp --dport 587 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 587 -j MASQUERADE
    
    # PORT 143 
    iptables -t nat -A PREROUTING  -p tcp --dport 143 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 143 -j MASQUERADE
    
    # PORT 993 
    iptables -t nat -A PREROUTING  -p tcp --dport 993 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 993 -j MASQUERADE
    
    # PORT 4190
    iptables -t nat -A PREROUTING  -p tcp --dport 4190 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 4190 -j MASQUERADE
    
    # PORT 42420
    iptables -t nat -A PREROUTING  -p tcp --dport 42420 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 42420 -j MASQUERADE
    
    # PORT 25565
    iptables -t nat -A PREROUTING  -p tcp --dport 25565 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 25565 -j MASQUERADE
    
    # PORT 1443
    iptables -t nat -A PREROUTING  -p tcp --dport 1443 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 1443 -j MASQUERADE
    
    # PORT 4443
    iptables -t nat -A PREROUTING  -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
    
    # PORT 5222
    iptables -t nat -A PREROUTING  -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
    
    # PORT 5347
    iptables -t nat -A PREROUTING  -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
    
    # PORT 5280
    iptables -t nat -A PREROUTING  -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
    
    # UDP PORTS ##################################################################################################
    # PORT 10000
    iptables -t nat -A PREROUTING  -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE

    # PORT 3478
    iptables -t nat -A PREROUTING  -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
  '';
}