nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	set addr_local_4 {
	type ipv4_addr; flags interval;

	elements={
		127.0.0.0/8,	# RFC3330 loopback
		10.0.0.0/8,	# RFC1918 reserved
		172.16.0.0/12,	# RFC1918 reserved
		192.168.0.0/16,	# RFC1918 reserved
		169.254.0.0/16	# RFC3927 link-local
		};
	}

	set addr_local_6 {
		type ipv6_addr; flags interval;

		elements={
			::1/128,        # RFC4291 loopback
			fc00::/7,       # RFC4193 unique local
			fe80::/64       # RFC4291 link-local
		};
	}

	chain input {
		type filter hook input priority 0; policy accept;

		ip saddr @addr_local_4 accept
		ip6 saddr @addr_local_6 accept

		# reject SSH connections from global addresses
		tcp dport ssh reject with tcp reset
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}
}