set ssh_ratelimit { type ipv4_addr timeout 5s flags dynamic } chain input { type filter hook input priority filter; policy drop; iif lo accept comment "Accept any localhost traffic" ip protocol icmp icmp type echo-request limit rate over 1/second drop comment "No ping floods" ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second drop comment "No ping6 floods" ct state invalid drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" ip protocol icmp icmp type echo-request accept comment "Accept ICMP" ip6 nexthdr icmpv6 icmpv6 type echo-request accept comment "Accept ICMPv6" tcp dport ssh ip saddr @ssh_ratelimit drop tcp dport ssh update @ssh_ratelimit { ip saddr limit rate 1/minute } accept comment "Accept SSH" }