diff --git a/roles/proxmox-backup/templates/nftables.conf.j2 b/roles/proxmox-backup/templates/nftables.conf.j2
new file mode 100644
index 0000000..aff70a9
--- /dev/null
+++ b/roles/proxmox-backup/templates/nftables.conf.j2
@@ -0,0 +1,51 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority filter; policy drop
+
+        ct state vmap { invalid : drop, established : accept, related : accept }
+        iif lo accept
+
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv6"
+
+        # BGP / BFD sessions
+        iif lan0 ip6 saddr fe80::/64 accept
+        iif lan1 ip6 saddr fe80::/64 accept
+
+        iifname mgmt accept comment "management access"
+
+        meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal"
+
+{% for service in services %}
+{% set prefixes = service | allowed_prefixes %}
+{% set ports = service.ports | compact_numlist %}
+        # service {{ service.name }}
+{% if prefixes | ipv4 %}
+        ip saddr { {{ prefixes | ipv4 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+{% if prefixes | ipv6 %}
+        ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+
+{% endfor %}
+    }
+
+    chain forward {
+        type filter hook forward priority filter; policy drop
+    }
+
+    chain output {
+        type filter hook output priority filter; policy accept
+    }
+}