#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		ip6 nexthdr icmpv6 limit rate 10/second accept
		ip6 nexthdr icmpv6 drop
		ip protocol icmp icmp type timestamp-request drop
                ip protocol icmp limit rate 10/second accept
		ip protocol icmp drop
                ip protocol igmp limit rate 10/second accept
		ip protocol igmp drop

		iif "lo" accept
		ct state invalid drop
		ct state related,established accept

		udp dport dhcpv6-client accept

		tcp dport ssh accept

		ip protocol tcp reject with tcp reset
		reject
	}
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}