#! /usr/sbin/nft -f

flush ruleset

include "/etc/nftables/include.d/*.conf"

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # allow local packets
        iifname lo accept

        # respond to ping
        icmp type echo-request accept

        # reject ident
        tcp dport ident reject

        # minimal rules for ipv6
        icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept

        # Apply extra rules, if any
        include "/etc/nftables/input.d/*.conf"
    }

    chain output {
        type filter hook output priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # allow local packets
        oifname lo accept;

        # ICMP
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Ident
        tcp dport ident accept

        # DNS
        udp dport domain accept
        tcp dport domain accept

        # HTTP
        tcp dport http accept

        # HTTPS
        tcp dport https accept

        # NTP
        udp dport ntp accept

        # Apply extra rules, if any
        include "/etc/nftables/output.d/*.conf"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # Apply extra rules, if any
        include "/etc/nftables/forward.d/*.conf"
    }
}

# vim: ai:expandtab:ts=4:sw=4