#!/bin/sh

set -e

apt-get -y install nftables
systemctl enable nftables
printf \
'#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		# loopback
		iifname lo accept

		# established/related connections
		ct state established,related accept

		# invalid connections
		ct state invalid drop

		# no ping floods
		ip protocol icmp icmp type echo-request limit rate 1/second accept
		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept

		# HTTP and HTTPS
		tcp dport 80 ct state new limit rate 10/second accept
		tcp dport 443 ct state new limit rate 100/second accept

		# SSH from MiA/MiB
		tcp dport 22 ip saddr 83.149.165.216/29 ct state new limit rate 2/second accept
	}
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	chain output {
		type filter hook output priority 0; policy accept;

		# no SSH
		tcp dport 22 drop
	}
}' > /etc/nftables.conf
systemctl restart nftables