diff --git a/main.nft b/main.nft
new file mode 100644
index 0000000..6460d10
--- /dev/null
+++ b/main.nft
@@ -0,0 +1,64 @@
+# Sample configuration for nftables service.
+# Load this by calling 'nft -f /etc/nftables/main.nft'.
+
+# Note about base chain priorities:
+# The priority values used in these sample configs are
+# offset by 20 in order to avoid ambiguity when firewalld
+# is also running which uses an offset of 10. This means
+# that packets will traverse firewalld first and if not
+# dropped/rejected there will hit the chains defined here.
+# Chains created by iptables, ebtables and arptables tools
+# do not use an offset, so those chains are traversed first
+# in any case.
+
+# drop any existing nftables ruleset
+flush ruleset
+
+# a common table for both IPv4 and IPv6
+table inet nftables_svc {
+
+	# protocols to allow
+	set allowed_protocols {
+		type inet_proto
+		elements = { icmp, icmpv6 }
+	}
+
+	# interfaces to accept any traffic on
+	set allowed_interfaces {
+		type ifname
+		elements = { "lo" }
+	}
+
+	# services to allow
+	set allowed_tcp_dports {
+		type inet_service
+		elements = { ssh, 9090 }
+	}
+
+	# this chain gathers all accept conditions
+	chain allow {
+		ct state established,related accept
+
+		meta l4proto @allowed_protocols accept
+		iifname @allowed_interfaces accept
+		tcp dport @allowed_tcp_dports accept
+	}
+
+	# base-chain for traffic to this host
+	chain INPUT {
+		type filter hook input priority filter + 20
+		policy accept
+
+		jump allow
+		reject with icmpx type port-unreachable
+	}
+}
+
+# By default, any forwarding traffic is allowed.
+# Uncomment the following line to filter it based
+# on the same criteria as input traffic.
+#include "/etc/nftables/router.nft"
+
+# Uncomment the following line to enable masquerading of
+# forwarded traffic. May be used with or without router.nft.
+#include "/etc/nftables/nat.nft"
diff --git a/nat.nft b/nat.nft
new file mode 100644
index 0000000..7079893
--- /dev/null
+++ b/nat.nft
@@ -0,0 +1,30 @@
+# Sample configuration snippet for nftables service.
+# Meant to be included by main.nft, not for direct use.
+
+# dedicated table for IPv4
+table ip nftables_svc {
+
+	# interfaces to masquerade traffic from
+	set masq_interfaces {
+		type ifname
+		elements = { "virbr0" }
+	}
+
+	# networks to masquerade traffic from
+	# 'interval' flag is required to support subnets
+	set masq_ips {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.122.0/24 }
+	}
+
+	# base-chain to manipulate conntrack in postrouting,
+	# will see packets for new or related traffic only
+	chain POSTROUTING {
+		type nat hook postrouting priority srcnat + 20
+		policy accept
+
+		iifname @masq_interfaces oifname != @masq_interfaces masquerade
+		ip saddr @masq_ips masquerade
+	}
+}
diff --git a/nftables.conf b/nftables.conf
index b2d226d..c3d9649 100644
--- a/nftables.conf
+++ b/nftables.conf
@@ -1,17 +1,8 @@
-#
-# This file will contain your nftables rules and
-# is read by the systemd service when restarting
-#
-# These provide an iptables like set of filters
-# (uncomment to include)
-# include "/etc/nftables/arp-filter.nft"
-# include "/etc/nftables/bridge-filter.nft"
-# include "/etc/nftables/inet-filter.nft"
-# include "/etc/nftables/ipv4-filter.nft"
-# include "/etc/nftables/ipv4-mangle.nft"
-# include "/etc/nftables/ipv4-nat.nft"
-# include "/etc/nftables/ipv4-raw.nft"
-# include "/etc/nftables/ipv6-filter.nft"
-# include "/etc/nftables/ipv6-mangle.nft"
-# include "/etc/nftables/ipv6-nat.nft"
-# include "/etc/nftables/ipv6-raw.nft"
+# Uncomment the include statement here to load the default config sample
+# in /etc/nftables for nftables service.
+
+#include "/etc/nftables/main.nft"
+
+# To customize, either edit the samples in /etc/nftables, append further
+# commands to the end of this file or overwrite it after first service
+# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
diff --git a/nftables.spec b/nftables.spec
index 756b9dc..f378691 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utilites
@@ -10,6 +10,9 @@ URL:            https://netfilter.org/projects/nftables/
 Source0:        %{url}/files/%{name}-%{version}.tar.bz2
 Source1:        nftables.service
 Source2:        nftables.conf
+Source3:        main.nft
+Source4:        router.nft
+Source5:        nat.nft
 
 # already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947
 Patch1:         nftables-1.0.1-drop-historyh.patch
@@ -71,6 +74,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 # Don't ship static lib (for now at least)
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
 
+# drop vendor-provided configs, they are not really useful
+rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
+
 chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
 
 mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
@@ -78,13 +84,13 @@ cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
 
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
 cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
-chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf
 
-mkdir -m 700 -p $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
-mv $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft \
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
 	$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
-chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft
-chmod 700 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
+
+find $RPM_BUILD_ROOT/%{_sysconfdir} \
+	\( -type d -exec chmod 0700 {} \; \) , \
+	\( -type f -exec chmod 0600 {} \; \)
 
 # make nftables.py use the real library file name
 # to avoid nftables-devel package dependency
@@ -125,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Thu Feb 03 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-3
+- Ship a more advanced default config. Fixes rhbz#1999596
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 
diff --git a/router.nft b/router.nft
new file mode 100644
index 0000000..6300a55
--- /dev/null
+++ b/router.nft
@@ -0,0 +1,16 @@
+# Sample configuration snippet for nftables service.
+# Meant to be included by main.nft, not for direct use.
+
+# a common table for both IPv4 and IPv6
+table inet nftables_svc {
+
+	# base-chain for traffic forwarded by this host
+	# re-uses 'allow' chain from main.nft
+	chain FORWARD {
+		type filter hook forward priority filter + 20
+		policy accept
+
+		jump allow
+		reject with icmpx type host-unreachable
+	}
+}