Adding nft firewall rules on node with Calico installed

I have Calico installed with the Tigra Operator and the following config:
kubectl get felixconfigurations default -o json | jq .spec

  "bpfLogLevel": "",
  "iptablesBackend": "NFT",
  "logSeverityScreen": "Info",
  "reportingInterval": "0s",
  "vxlanEnabled": true

I would like to add some nft rules to protect this test node (internet facing), but as soon as my nft rules are present, pod to pod communication and egress traffic from the pods are broken.

I am using the following nft rules

#!/usr/sbin/nft -f

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop

                iif lo accept comment "Accept any localhost traffic"

                ct state established,related accept comment "Accept traffic originated from us"
                ct state invalid drop comment "Drop invalid connections"
                # ICMP is OK with rate limiting
                ip protocol icmp limit rate 4/second accept
                ip6 nexthdr ipv6-icmp limit rate 4/second accept

                # various port accepts
                tcp dport {22, 80, 443} accept comment "ssh, http(s)"
                tcp dport 22 ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"

        chain output {
                # Accept every outbound connection
                type filter hook output priority 0; policy accept;

What is exactly missing in this ruleset so that I block incoming traffic without blocking Calico ?