#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;

        ct state invalid drop
        ct state { established, related } accept

        # Accept loopback
        iif lo accept

        # Accept ICMP
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Accept incoming connections to these ports
        tcp dport { ssh } accept

        reject
    }
    chain forward {
        type filter hook forward priority 0;
        reject
    }
    chain output {
        type filter hook output priority 0;

        ct state invalid drop
        ct state { established, related } accept

        # Accept loopback
        oif lo accept

        # Accept outgoing connections to these addresses
        ip daddr { 89.58.34.6 } tcp dport { https } accept
        ip daddr { 89.58.34.6 } udp dport { ntp } accept
        ip6 daddr { 2a03:4000:64:8::1 } tcp dport { https } accept
        ip6 daddr { 2a03:4000:64:8::1 } udp dport { ntp } accept

        # Accept any connections by root user
        #meta skuid root accept

        reject
    }
}