#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		ct state established,related accept
		ct state invalid drop

		# Allow ICMP ping
		icmp type echo-request limit rate 1/second accept
		icmpv6 type echo-request limit rate 1/second accept
				
		# SSH
		tcp dport 995 limit rate 10/minute accept

		# HTTP
		tcp dport { http, https } limit rate 5/second accept
		# udp dport 443 limit rate 5/second accept
	}

	chain forward {
		type filter hook forward priority 0; policy accept;

		iif eth0 drop
		oif eth0 drop
	}
	
	chain output {
		type filter hook output priority 0; policy accept;
	}
}