diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index ff2340d..2b7542f 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -69,6 +69,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 64677e7..ab99a55 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -69,6 +69,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-mail.conf b/nftables-mail.conf
index edd56fd..f538879 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -69,6 +69,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 7a81d23..044758e 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -69,6 +69,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-network.conf b/nftables-network.conf
index f343d55..2e76a32 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -73,6 +73,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index 5716612..08f1e27 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -72,6 +72,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index 8d2ee70..e0a7025 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -77,6 +77,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-social.conf b/nftables-social.conf
index e2975e7..e4d2f7a 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -69,6 +69,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
diff --git a/nftables-web.conf b/nftables-web.conf
index 6b72cdb..3d70cf5 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -73,6 +73,7 @@ table inet filter {
     }
 
     chain input-new {
+        meta l4proto != tcp goto graceful-reject
         tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset