#!/bin/sh

set -e

apt-get -y install nftables
systemctl enable nftables
printf \
'#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;

		# loopback
		iifname lo accept;

		# established/related connections
		ct state established,related accept;

		# invalid connections
		ct state invalid drop;

		# no ping floods
		ip protocol icmp icmp type echo-request limit rate 1/second accept;
		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept;

		# HTTP and HTTPS
		tcp dport 80 ct state new limit rate 10/second accept;
		tcp dport 443 ct state new limit rate 100/second accept;

		# SSH from MiA/MiB
		tcp dport 22 ip saddr 83.149.165.216/29 ct state new limit rate 2/second accept;

		policy drop;
	}
	chain forward {
		type filter hook forward priority 0;
		policy drop;
	}
	chain output {
		type filter hook output priority 0;

		# no SSH
		tcp dport 22 drop;

		policy accept;
	}
}' > /etc/nftables.conf
systemctl restart nftables