diff --git a/playbooks/securing.yml b/playbooks/securing.yml
new file mode 100644
index 0000000..682ab24
--- /dev/null
+++ b/playbooks/securing.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Securing
+  hosts: all
+  vars_files:
+    - ../group_vars/all/vault.yml
+  roles:
+    - securing
+  tags:
+    - securing
diff --git a/roles/securing/tasks/fail2ban.yml b/roles/securing/tasks/fail2ban.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/securing/tasks/firewall.yml b/roles/securing/tasks/firewall.yml
new file mode 100644
index 0000000..33443c8
--- /dev/null
+++ b/roles/securing/tasks/firewall.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Install nftables
+  ansible.builtin.apt:
+    state: present
+    update_cache: true
+    pkg:
+      - nftables
+
+
+- name: Add nftables configuration
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    nftables_reload
diff --git a/roles/securing/tasks/main.yml b/roles/securing/tasks/main.yml
new file mode 100644
index 0000000..9c6fb12
--- /dev/null
+++ b/roles/securing/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Firewall
+  remote_user: ansible
+  become: true
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Fail2ban
+  remote_user: ansible
+  become: true
+  ansible.builtin.import_tasks: fail2ban.yml
diff --git a/roles/securing/templates/nftables.conf.j2 b/roles/securing/templates/nftables.conf.j2
new file mode 100644
index 0000000..146eacf
--- /dev/null
+++ b/roles/securing/templates/nftables.conf.j2
@@ -0,0 +1,37 @@
+table ip6 filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		iifname "lo" accept
+		log prefix "Dropped ipv6:  " flags all drop
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority filter; policy drop;
+		iifname "lo" accept
+		log prefix "Dropped ipv6:  " flags all drop
+	}
+}
+
+table ip filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		ct state established,related accept
+		ip protocol icmp icmp type echo-request accept
+		icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+		tcp dport { 22, 80, 443, 10000 } accept
+
+		log prefix "Dropped ipv4:  " flags all drop
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority filter; policy accept;
+	}
+}