diff --git a/roles/nftables/templates/nftables.conf b/roles/nftables/templates/nftables.conf
index ab79445..586e0b4 100755
--- a/roles/nftables/templates/nftables.conf
+++ b/roles/nftables/templates/nftables.conf
@@ -11,31 +11,55 @@ table inet nat {
 }
 
 table inet filter {
+	set blackhole_ipv4 {
+	  type ipv4_addr
+	  timeout 30s
+	  flags dynamic
+	}
+
+	set blackhole_ipv6 {
+	  type ipv6_addr
+	  timeout 30s
+	  flags dynamic
+	}
+
 	chain input {
 		type filter hook input priority 0; policy drop;
 
 		iif lo accept
 		
+		# Block all IPs in blackhole
+		ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop
+		ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop
+
 		ct state invalid drop
 		ct state { established, related } accept
 	
+		# Prevent DDoS
+		# Rate limiting
+		meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
+		meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
+		# Max concurrent connections
+		meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
+		meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
+
 		# Allow ICMP
-		meta l4proto icmp limit rate 1/second accept
-		meta l4proto ipv6-icmp limit rate 1/second accept
+		meta l4proto icmp accept
+		meta l4proto ipv6-icmp accept
 
 		# HTTP/S
-		tcp dport { http, https } limit rate 5/second accept
+		tcp dport { http, https } accept
 
 		# SSH
-		tcp dport 995 limit rate 15/minute accept
+		tcp dport 995 accept
 
 		# Syncthing
-		tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
-		udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept
+		tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept
+		udp dport {{ ports['syncthing_udp'] }} accept
 
 		# Coturn
-		tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } limit rate 5/second accept
-		udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } limit rate 5/second accept
+		tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept
+		udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept
 
 	}
 
@@ -45,5 +69,9 @@ table inet filter {
 	
 	chain output {
 		type filter hook output priority 0; policy accept;
+
+		# Don't waste resources responding to blocked IPs
+		ip daddr @blackhole_ipv4 reject
+		ip6 daddr @blackhole_ipv6 reject
 	}
 }