#!/usr/bin/nft -f # ipv4/ipv6 Simple & Safe Firewall # you can find examples in /usr/share/nftables/ table inet filter { chain input { type filter hook input priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iifname lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # allow ssh tcp dport ssh accept # everything else reject with icmpx type port-unreachable } chain forward { type filter hook forward priority 0; drop } chain output { type filter hook output priority 0; } } # vim:set ts=2 sw=2 et: