diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index bccfa82..2af9456 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 97af3dc..724a649 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-mail.conf b/nftables-mail.conf
index 4078e43..b41ff06 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 25, 80, 443, 465, 993} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index bea3952..7d5622e 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-network.conf b/nftables-network.conf
index 6c24d78..5f36564 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443, 7275} notrack accept
         udp dport 123 notrack accept
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index fcc1801..0e204c9 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index 06cf0c5..644ecd8 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
diff --git a/nftables-social.conf b/nftables-social.conf
index 8d1d81a..49f8224 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-web.conf b/nftables-web.conf
index e02fbb6..70e3c80 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -6,6 +6,9 @@ table inet filter {
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
+        # drop packets without a reverse path (strict reverse path filtering)
+        fib saddr . iif oif missing counter drop
+
         iif lo notrack accept
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/sysctl.d/local.conf b/sysctl.d/local.conf
index a2a1c39..31aa0ea 100644
--- a/sysctl.d/local.conf
+++ b/sysctl.d/local.conf
@@ -28,6 +28,10 @@ net.ipv4.conf.default.accept_redirects = 0
 net.netfilter.nf_conntrack_tcp_loose = 0
 net.netfilter.nf_conntrack_tcp_timeout_established = 14400
 
+# enforced with nftables to handle both IPv4 and IPv6 in the same way
+net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.*.rp_filter = 0
+
 net.mptcp.enabled = 0
 
 kernel.yama.ptrace_scope = 2