flush ruleset table inet firewall { # allow all outbound traffic chain outbound { type filter hook output priority 0; policy accept; } # accept ip4 icmp with rate limit chain inbound_ipv4 { icmp type echo-request limit rate 5/second accept } # accept neighbor discovery and ip6 icmp with rate limit chain inbound_ipv6 { icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept icmpv6 type echo-request limit rate 5/second accept } # drop all inbound traffic that does not pass filters chain inbound { type filter hook input priority 0; policy drop; # Allow traffic from established and related packets, drop invalid ct state vmap { established: accept, related: accept, invalid: drop } # Allow loopback traffic iifname lo accept # Jump to chain according to layer 3 protocol using a verdict map meta protocol vmap { ip: jump inbound_ipv4, ip6: jump inbound_ipv6 } # allow http and https traffic tcp dport { 80, 443 } accept # rate limit new ssh connections tcp dport ssh ct state new limit rate 4/minute accept # log all denied traffic (including ssh) log prefix "[nftables] Inbound Denied: " counter drop } # do not act as a router; drop all forward requests chain forward { type filter hook forward priority 0; policy drop; } }