#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

destroy table inet filter
destroy table ip filter-custom

table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iif lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
  }

  chain forward {
    type filter hook forward priority filter + 1; policy drop;
  }
}

table ip filter-custom {
  chain forward {
    type filter hook forward priority filter - 1; policy accept;
    ct state established,related accept
    ip saddr 172.16.0.0/12 ip daddr 192.168.0.0/16 drop
  }
}