flush ruleset

table ip firewall4 {
    counter test {
    }

    chain input {
        type filter hook input priority 0; policy drop;

        ct state established,related accept
        icmp type echo-request accept

        iifname lo accept

        ip saddr 192.168.0.0/24 \
            tcp dport 22 \
            accept \
            counter name test \
            comment "Allow connect to SSH server from local network"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}