[Unit]
Description=Apply strict firewall - WireGuard only
After=network.target wg-quick@wg0.service

[Service]
Type=oneshot
ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target