master
Raw Download raw file 
 1flush ruleset
 2
 3table inet filter {
 4  chain input {
 5    type filter hook input priority 0;
 6    policy drop;
 7
 8    # baseline
 9    iif "lo" accept
10    ct state established,related accept
11
12    # explicitly allow (and count) the ports you care about
13    tcp dport 22  ct state new limit rate 10/minute accept
14    tcp dport 80  counter accept
15    tcp dport 443 counter accept
16
17    ip6 nexthdr icmpv6 accept
18
19    # everything else inbound is allowed, but counted
20    counter comment "input dropped"
21  }
22
23  chain forward {
24    type filter hook forward priority 0;
25    policy drop;
26
27    ct state established,related accept
28    counter comment "forward dropped"
29  }
30
31  chain output {
32    type filter hook output priority 0;
33    policy accept;
34  }
35}