diff --git a/files/iptables/nftables.rules b/files/iptables/nftables.rules
new file mode 100644
index 0000000..6881564
--- /dev/null
+++ b/files/iptables/nftables.rules
@@ -0,0 +1,21 @@
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add chain ip filter TCP
+add chain ip filter UDP
+add chain ip filter SSH
+add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
+add rule ip filter INPUT icmp type echo-request counter drop
+add rule ip filter INPUT ct state related,established counter accept
+add rule ip filter INPUT iifname lo counter accept
+add rule ip filter INPUT ct state invalid counter drop
+add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
+add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip filter INPUT ip protocol udp counter reject
+add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
+add rule ip filter INPUT counter reject with icmp type prot-unreachable
diff --git a/files/iptables/nftables6.rules b/files/iptables/nftables6.rules
new file mode 100644
index 0000000..38f1755
--- /dev/null
+++ b/files/iptables/nftables6.rules
@@ -0,0 +1,24 @@
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; }
+add chain ip6 filter TCP
+add chain ip6 filter UDP
+add chain ip6 filter SSH
+add rule ip6 filter INPUT rt type 0 counter drop
+add rule ip6 filter OUTPUT rt type 0 counter drop
+add rule ip6 filter FORWARD rt type 0 counter drop
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  limit rate 30/minute burst 8 packets counter accept
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  counter drop
+add rule ip6 filter INPUT ct state related,established counter accept
+add rule ip6 filter INPUT iifname lo counter accept
+add rule ip6 filter INPUT ct state invalid counter drop
+add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
+add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited