diff --git a/files/br-rtr/nftables.conf b/files/br-rtr/nftables.conf
new file mode 100755
index 0000000..c504fd2
--- /dev/null
+++ b/files/br-rtr/nftables.conf
@@ -0,0 +1,46 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		log prefix "Dropped Input: " level debug
+		iif lo accept
+		ct state established,related accept
+		tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
+		udp dport { 53,123,500,4500,88,137 } accept
+		ip protocol icmp accept
+		ip protocol esp accept
+		ip protocol gre accept
+		ip protocol ospf accept
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+		log prefix "Dropped forward: " level debug
+		iif lo accept
+		ct state established,related accept
+		tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
+		udp dport { 53,123,500,4500,88,137 } accept
+		ip protocol icmp accept
+		ip protocol esp accept
+		ip protocol gre accept
+		ip protocol ospf accept
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+table inet nat {
+	chain prerouting {
+		type nat hook prerouting priority filter; policy accept
+		ip daddr 172.16.5.2 tcp dport 2024 dnat ip to 192.168.200.2:2024
+		ip daddr 172.16.5.2 tcp dport 80 dnat ip to 192.168.200.2:8080
+	}
+	chain postrouting {
+		type nat hook postrouting priority srcnat
+
+		oif "ens18" ip saddr { 192.168.200.0/27 } masquerade
+	}
+}