table filter {
    chain INPUT {
        policy DROP;
        interface lo ACCEPT;
        # Make sure not to allow flooding via ICMP ping packages by sending them
        # to flood chain before state module kicks in.
        proto icmp icmp-type echo-request jump flood;
        mod state state (ESTABLISHED RELATED) ACCEPT;
        # For TCP packages we perform floods checks after state module took care
        # of established and related connections.
        proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
        # Accept some common incoming connections.
        proto icmp icmp-type echo-request ACCEPT;
        proto tcp dport 22 ACCEPT;
    }

    # The flood chain is used for controlling the rate of the incoming connections.
    chain flood {
        # Rate-limit the ping requests.
        proto icmp icmp-type echo-request {
            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                hashlimit-mode srcip hashlimit-name icmp RETURN;
            DROP;
        }
        # Rate-limit the TCP connections.
        proto tcp tcp-flags (FIN SYN RST ACK) SYN {
            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                hashlimit-mode srcip hashlimit-name icmp RETURN;
            LOG;
            DROP;
        }
    }

}