diff --git a/.config/nftables.conf b/.config/nftables.conf
index a4a8073..88eaca0 100755
--- a/.config/nftables.conf
+++ b/.config/nftables.conf
@@ -1,15 +1,31 @@
 #!/usr/sbin/nft -f
-
 flush ruleset
 
 table inet filter {
-	chain input {
-		type filter hook input priority filter; policy drop;
-		# accept any localhost traffic
-		iif lo accept
-		# accept traffic originated from us
-		ct state established,related accept
-		# accept neighbour discovery otherwise connectivity breaks
-		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+	chain inbound {
+		type filter hook input priority 0; policy drop;
+
+		iif lo accept comment "Accept loopback traffic"
+		meta l4proto { icmp, ipv6-icmp } accept comment "Accept all icmp/icmpv6 traffic"
+		ct state vmap { established : accept, related : accept, invalid : drop } comment "Allow traffic from established and related connections, drop invalid"
+
+		tcp dport ssh accept comment "Accept SSH on port 22"
+		udp dport 1194 accept comment "Accept VPN on port 1194"
+
+		# log prefix "[nftables] Inbound Denied: " counter drop comment "Log denied traffic"
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+		iifname "padova" accept
+	}
+}
+
+table inet nat {
+	chain prerouting {
+		type nat hook prerouting priority -100;
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100;
+		oifname "eth0" masquerade
 	}
 }