Hiyah Everyone
Here is what I have come up with so far. I haven't implemented it yet and plan on trying out on a vm first. Comments/Suggestions please and keep it clean ? Joking
#!/usr/sbin/nft -f
flush ruleset
define lan = 192.168.*.*-192.168.*.*
#table inet filter {
# chain input {
# type filter hook input priority 0;
# # loopback interface
# iifname lo accept
# # established/related connections
# ct state established,related accept
#
# # Invalid connections
# ct state invalid drop
# # no ping floods
# ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 2/second accept;
# ip protocol icmp icmp type echo-request limit rate 2/second accept;
# # open tcp ports: sshd (22), dns error it is also udp(53), httpd (80), https (443)
# tcp dport {ssh, dns, http, https} ip saddr $lan accept;
#Reject every connection from elsewhere aka the wild
# tcp dport {ssh, dns, http, https} reject with tcp reset;
#Drop all ports
# tcp dport {1-1023} reject with tcp reset;
# UDP 53 DNS ip saddr $lan accept;
# udp dport 53 ip saddr $lan accept;
# udp dport 53 ip reject with icmp type port-unreachable;
#reject with icmp type port-unreachable;
# policy drop;
#
# }
# chain forward {
# type filter hook forward priority 0;
# policy drop;
# }
# chain output {
# type filter hook output priority 0;
# # reject outboound ssh this would only be done on the server
# # commented out ssh
# #tcp dport ssh reject with icmp type host-unreachable;
# policy accept;
# }
#}