-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iif lo accept comment "accept localhost traffic"
- ct state invalid drop comment "drop invalid connections"
- ct state established, related accept comment "accept traffic originated from us"
- tcp dport 22 accept comment "accept SSH on default port"
- tcp dport 80 accept comment "accept HTTP on default port"
- tcp dport 443 accept comment "accept HTTPS on default port"
- ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- chain output {
- type filter hook output priority 0; policy accept;
- }
-}