#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;


        # allow already established connections (e.g. initiated by this host)
        add rule ip filter INPUT ct state related,established counter accept

        # allow ICMP
        add rule ip filter INPUT ip protocol icmp counter accept

        # allow anything on localhost
        add rule ip filter INPUT iifname "lo" counter accept

        # allow SSH for remote management
        add rule ip filter INPUT tcp dport 22 counter accept


        ## docker

        # cluster management communications
        add rule ip filter INPUT tcp dport 2377 counter accept

        # communication among nodes
        add rule ip filter INPUT tcp dport 7946 counter accept
        add rule ip filter INPUT udp dport 7946 counter accept

        # overlay network traffic
        add rule ip filter INPUT udp dport 4789 counter accept
    }
    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }
    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}