#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        tcp flags syn tcp option maxseg size 1-500 drop

        ct state { established, related } accept
        ct state invalid drop

        iif lo accept

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
        ip protocol icmp accept

        ip6 nexthdr ipv6-icmp accept
    }

    chain output {
        type filter hook output priority 0
        policy accept
    }

    chain forward {
        type filter hook forward priority 0
        policy drop

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
    }
}

table nat {
    chain prerouting {
        type nat hook prerouting priority -100
    }
    chain postrouting {
        type nat hook postrouting priority 100
    }
}

include "/etc/nftables-rules.d/*-*"