diff --git a/roles/common/templates/00-base.conf.j2 b/roles/common/templates/00-base.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..bf796d9b908f6073d5a7a43d968945d1ca87d77a
--- /dev/null
+++ b/roles/common/templates/00-base.conf.j2
@@ -0,0 +1,34 @@
+table filter {
+    chain INPUT {
+        policy DROP;
+        interface lo ACCEPT;
+        # Make sure not to allow flooding via ICMP ping packages by sending them
+        # to flood chain before state module kicks in.
+        proto icmp icmp-type echo-request jump flood;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+        # For TCP packages we perform floods checks after state module took care
+        # of established and related connections.
+        proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
+        # Accept some common incoming connections.
+        proto icmp icmp-type echo-request ACCEPT;
+        proto tcp dport 22 ACCEPT;
+    }
+
+    # The flood chain is used for controlling the rate of the incoming connections.
+    chain flood {
+        # Rate-limit the ping requests.
+        proto icmp icmp-type echo-request {
+            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
+                hashlimit-mode srcip hashlimit-name icmp RETURN;
+            DROP;
+        }
+        # Rate-limit the TCP connections.
+        proto tcp tcp-flags (FIN SYN RST ACK) SYN {
+            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
+                hashlimit-mode srcip hashlimit-name icmp RETURN;
+            LOG;
+            DROP;
+        }
+    }
+
+}