nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;

		iif lo accept comment "Accept traffic from loopback interface"
		ct state established,related accept comment "Allow inbound & related packets for established connections"

		jump portknock

		counter drop
	}

	set portknock_stage1 {
		type ipv4_addr;
		flags timeout;
		size 65536;
	}

	set portknock_stage2 {
		type ipv4_addr;
		flags timeout;
		size 65536;
	}

	set portknock_allow {
		type ipv4_addr;
		flags timeout;
		size 65536;
	}

	chain portknock {
		ip saddr @portknock_allow tcp dport 22 counter accept comment "Accept TCP to SSH for correctly knocked IPs"

		udp dport 7000 counter add @portknock_stage1 { ip saddr timeout 1s } comment "Portknock, stage 1"

		ip saddr != @portknock_stage1 counter return comment "Portknock stage 2 not allowed"
		udp dport 8000 counter add @portknock_stage2 { ip saddr timeout 1s } comment "Portknock, stage 2"

		ip saddr != @portknock_stage2 counter return comment "Portknock stage 3 not allowed"
		udp dport 9000 counter add @portknock_allow { ip saddr timeout 60s } comment "Portknock, stage 3"
	}
}