diff --git a/tasks/container-setup.yml b/tasks/container-setup.yml
index a9a9fce..cc8d82b 100644
--- a/tasks/container-setup.yml
+++ b/tasks/container-setup.yml
@@ -90,6 +90,13 @@
   loop:
     - token-validator
 
+- name: Setup firewall
+  template:
+    src: nftables.rules.j2
+    dest: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/nftables.nft"
+  tags:
+    - firewall
+
 - name: Setup runlevels
   file:
     path: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/runlevels/{{ item.runlevel }}/{{ item.filename }}"
@@ -100,6 +107,7 @@
     - { filename: "token-validator", runlevel: "default" }
     - { filename: "checker", runlevel: "default" }
     - { filename: "clean-wg", runlevel: "default" }
+    - { filename: "nftables", runlevel: "boot" }
 
 # Does not work
 - name: Setup maatma container
diff --git a/tasks/main.yml b/tasks/main.yml
index fb8fa8d..2d29fab 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,7 +14,8 @@
     group: srs-deploy
     state: directory
 
-# 3. Install others scripts
+# 3. Install firewall
+# 4. Install others scripts
 - name: configure wg-adlin
   copy:
     src: "/etc/wireguard/wg-adlin.conf"
diff --git a/templates/nftables.rules.j2 b/templates/nftables.rules.j2
new file mode 100644
index 0000000..ba0ff37
--- /dev/null
+++ b/templates/nftables.rules.j2
@@ -0,0 +1,86 @@
+#!/usr/sbin/nft -f
+# vim: set ts=4 sw=4:
+# You can find examples in /usr/share/nftables/.
+
+# Clear all prior state
+flush ruleset
+
+# Basic IPv4/IPv6 stateful firewall for server/workstation.
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		iifname lo accept \
+		comment "Accept any localhost traffic"
+
+		ct state { established, related } accept \
+		comment "Accept traffic originated from us"
+
+		ct state invalid drop \
+		comment "Drop invalid connections"
+
+		tcp dport 113 reject with icmpx type port-unreachable \
+		comment "Reject AUTH to make it fail fast"
+
+		# ICMPv4
+
+		ip protocol icmp icmp type {
+			echo-reply,  # type 0
+			destination-unreachable,  # type 3
+			echo-request,  # type 8
+			time-exceeded,  # type 11
+			parameter-problem,  # type 12
+		} accept \
+		comment "Accept ICMP"
+
+		# ICMPv6
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			destination-unreachable,  # type 1
+			packet-too-big,  # type 2
+			time-exceeded,  # type 3
+			parameter-problem,  # type 4
+			echo-request,  # type 128
+			echo-reply,  # type 129
+		} accept \
+		comment "Accept basic IPv6 functionality"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			nd-router-solicit,  # type 133
+			nd-router-advert,  # type 134
+			nd-neighbor-solicit,  # type 135
+			nd-neighbor-advert,  # type 136
+		} ip6 hoplimit 255 accept \
+		comment "Allow IPv6 SLAAC"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			mld-listener-query,  # type 130
+			mld-listener-report,  # type 131
+			mld-listener-reduction,  # type 132
+			mld2-listener-report,  # type 143
+		} ip6 saddr fe80::/10 accept \
+		comment "Allow IPv6 multicast listener discovery on link-local"
+
+		ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
+		comment "Accept DHCPv6 replies from IPv6 link-local addresses"
+
+		ip saddr 192.168.0.6 tcp dport 8081 accept
+	}
+
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+		ip6 saddr 2a01:e0a:518:833::/64 udp sport 53 counter accept
+		ip6 saddr 2a01:e0a:518:833::/64 ip6 nexthdr icmpv6 counter accept
+		ip6 saddr 2a01:e0a:518:833::/64 ip6 daddr != 2a01:e0a:518:830::/56 counter log prefix "Filtered ADLIN FORWARD " reject with icmpv6 type admin-prohibited
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+# The state of stateful objects saved on the nftables service stop.
+include "/var/lib/nftables/*.nft"
+
+# Rules
+include "/etc/nftables.d/*.nft"