{ config, lib, pkgs, ... }: {
  networking.firewall.allowedUDPPorts = [
    3478  # Headscale DERP UDP
    10000 # Jitsi
  ];
  networking.firewall.allowedTCPPorts = [
    80    # HTTP
    443   # HTTPS
    25    # SMTP  (explicit TLS => STARTTLS)
    465   # ESMTP (implicit TLS)
    587   # ESMTP (explicit TLS => STARTTLS)
    143   # IMAP4 (explicit TLS => STARTTLS)
    993   # IMAP4 (implicit TLS)
    4190  # Sieve support
    42420 # Vintage Story
    25565 # Minecraft
    1443  # Headscale DERP
    4443  # jitsi-jvb
    5222  # Jitsi
    5347  # Jitsi
    5280  # Jitsi
  ];
  networking.firewall.extraCommands     = '' 
    iptables -t nat -A PREROUTING  -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -s 10.100.0.2     -j SNAT --to-source      172.234.84.222
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    # PORT 10000
    iptables -t nat -A PREROUTING  -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE

    # PORT 3478
    iptables -t nat -A PREROUTING  -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE

    # PORT 4443
    iptables -t nat -A PREROUTING  -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
    
    # PORT 5222
    iptables -t nat -A PREROUTING  -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
    
    # PORT 5347
    iptables -t nat -A PREROUTING  -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
    
    # PORT 5280
    iptables -t nat -A PREROUTING  -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
    iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
  '';

  services.xinetd = {
    enable = true;
    services = [
      {
        name = "http";
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 80";
      }
      {
        name = "https";
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 443";
      }
      {
        name = "minecraft";
        port = 25565;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 25565";
      }
      {
        name = "vintage-story";
        port = 42420;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 42420";
      }

      ################################################ mail
      {
        name = "mail 25";
        port = 25;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 25";
      }
      {
        name = "mail 465";
        port = 465;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 465";
      }
      {
        name = "mail 587";
        port = 587;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 587";
      }
      {
        name = "mail 143";
        port = 143;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 143";
      }
      {
        name = "mail 993";
        port = 993;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 993";
      }
      {
        name = "mail 4190";
        port = 4190;
        protocol = "tcp";
        unlisted = true;
        server = "/usr/bin/env"; # Placeholder.
        extraConfig = "redirect = 10.100.0.2 4190";
      }
      ################################################ /mail

    ];
  };
}