nftables

nftables is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables:
 * Only one command
 * Rules that target both IPV4 and IPV6
 * More concise syntax
 * See details on the official wiki

Prerequisite
If you are running Debian Jessie, it is recommended to install the kernel from Jessie Backports.

Install
You might also want to remove

Create main table
Create file  Double check the port for SSH before activating the script.

/etc/nftables.conf
Edit file  This file is executed when you start nftables. You can also manually execute it without issue.

/etc/nftables/reload_main.conf
This script is used to reload only the main table without the others. The point is to integrate with tools like Fail2Ban which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban.

Create file  and make it executable

Test
Test your firewall with the following command It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.

Enable
It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine. It the script output, don’t worry. The firewall is correctly enabled in systemd. This is bug #804648.