Default nftables filter (archlinux)

/etc/nftables.conf

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iif "lo" accept comment "allow from loopback"
		meta l4proto { icmp, ipv6-icmp } accept comment "allow icmp"
		tcp dport 22 accept comment "allow sshd"
		meta pkttype host limit rate 5/second burst 5 packets counter packets 40 bytes 3120 reject with icmpx admin-prohibited
		counter packets 1602 bytes 416808
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}


more examples