# Pastebin TszQbT45
#!/usr/sbin/nft -f



table inet filter

flush table inet filter



define V4_NEIGHBORS = {

  10.0.2.15,  # pretalx

}



define V6_NEIGHBORS = {

}



table inet filter {

    chain input {

        type filter hook input priority 0;

        iif lo accept

        ct state established,related accept

        icmp type echo-request counter accept

        icmpv6 type echo-request counter accept

        

        ip saddr $V4_NEIGHBORS accept

        ip6 saddr $V6_NEIGHBORS accept



        # accept neighbour discovery otherwise connectivity breaks:

        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

        tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept

        

        counter drop

    }

}