diff --git a/docker.sysusers b/docker.sysusers
new file mode 100644
index 0000000..0f62654
--- /dev/null
+++ b/docker.sysusers
@@ -0,0 +1 @@
+g docker - -
diff --git a/nftables-docker.nft b/nftables-docker.nft
new file mode 100644
index 0000000..a485300
--- /dev/null
+++ b/nftables-docker.nft
@@ -0,0 +1,60 @@
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy accept;
+	}
+
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+		counter jump DOCKER-USER
+		counter jump DOCKER-ISOLATION-STAGE-1
+		oifname "docker0" ct state established,related counter accept
+		oifname "docker0" counter jump DOCKER
+		iifname "docker0" oifname != "docker0" counter accept
+		iifname "docker0" oifname "docker0" counter accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+	}
+
+	chain DOCKER {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
+		counter return
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+		oifname "docker0" counter drop
+		counter return
+	}
+
+	chain DOCKER-USER {
+		counter return
+	}
+}
+table ip nat {
+	chain PREROUTING {
+		type nat hook prerouting priority -100; policy accept;
+		fib daddr type local counter jump DOCKER
+	}
+
+	chain INPUT {
+		type nat hook input priority 100; policy accept;
+	}
+
+	chain POSTROUTING {
+		type nat hook postrouting priority 100; policy accept;
+		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
+	}
+
+	chain OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+	}
+
+	chain DOCKER {
+		iifname "docker0" counter return
+	}
+}