diff --git a/roles/debian/files/nftables.conf b/roles/debian/files/nftables.conf
new file mode 100755
index 0000000..0004066
--- /dev/null
+++ b/roles/debian/files/nftables.conf
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy accept;
+
+		# Accept any localhost and libvirt traffic.
+		iif "lo" accept
+		iif "virbr0" accept
+
+		# Accept traffic originated from us.
+		ct state established,related accept
+
+		# Open ports for public services.
+		tcp dport ssh ct state new accept
+		tcp dport 8000 ct state new accept  # Python HTTP server.
+
+		# Accept neighbour discovery otherwise IPv6 connectivity breaks.
+		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept
+
+		# Count and drop any other traffic.
+		counter drop
+	}
+
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100;
+
+		# Masquerade NAT traffic (useful for VMs).
+		masquerade
+	}
+}