#!/usr/sbin/nft -f

flush ruleset

table ip filter {
    chain input {
        type filter hook input priority 0;
        policy drop;


        # allow already established connections (e.g. initiated by this host)
        ct state related,established counter accept

        # allow ICMP
        ip protocol icmp counter accept

        # allow anything on localhost
        iifname "lo" counter accept

        # allow SSH for remote management
        tcp dport 22 counter accept


        ## docker

        # cluster management communications
        tcp dport 2377 counter accept

        # communication among nodes
        tcp dport 7946 counter accept
        udp dport 7946 counter accept

        # overlay network traffic
        udp dport 4789 counter accept
    }
    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }
    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}