Fixes one more English phrasing in the nftables hardening guide

> See <https://blog.samuel.domains/blog/security/nftables-hardening-rules-and-good-practices#isso-56>

_posts/2020-03-20-nftables-hardening-rules-and-good-practices.md

@@ -138,7 +138,7 @@ Here, the table has been declared with a `netdev` network family type. It means
 You may also have noticed the `-500` priority. By setting it lower than `NF_IP_PRI_CONNTRACK_DEFRAG` (= `-400`), we are sure that our chain will be evaluated before any other one registered on the `ingress` hook. This makes it the perfect place to set our DDoS counter-measures, as we would "spare" a few CPU cycles per packet.
 
 About the rules themselves, there are two kind of statements (decisions) : those that are _terminal_, and those which are not. For instance, `drop` is _terminal_ (a verdict), whereas `counter` is not.  
-Thus, we may specify `counter drop`, to make Netfilter _count_ the number of packets matching the rule, **and** dropping them at the same time (very useful for debugging purposes).  
+Thus, we may specify `counter drop`, to make Netfilter _count_ the number of packets matching the rule, **and** _drop_ them at the same time (very useful for debugging purposes).  
 No need to duplicate weird `iptables` calls anymore (calls that were duplicating Netfilter registered rules by the way :roll_eyes:).
 
 > Note on "Bogons" : If you got an IPv6 stack, you _might_ be interested in the [IPv6 Full Bogons](https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt) list.
@@ -151,15 +151,12 @@ A regular anti-DDoS rule is to [block new packets that are not `SYN`](https://ja
 
 Well, in order to match "new" packets, we need the help of the `conntrack` Netfilter module.  
 The problem : It's not available within a chain registered with the `ingress` hook, that's why we gotta use it elsewhere.  
-Let's then take the firstly encountered other "location" on the Netfilter flow, the `PREROUTING` hook.
-
-> Note : The snippet below [requires a Kernel >= 5.2](https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Inet_family_NAT).  
-> If that's not the case on your machine, replace `inet` by `ip`, but please notice that incoming IPv6 traffic won't be matched.
+Let's then take the firstly encountered other "location" on the Netfilter flow : [the `PREROUTING` chain of the `filter` table, at the `mangle` (-150) priority](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook).
 
 {% highlight nftables %}
-table inet nat {
+table inet mangle {
 	chain prerouting {
-		type nat hook prerouting priority -100;
+		type filter hook prerouting priority -150;
 
 		# CT INVALID
 		ct state invalid counter drop
@@ -245,9 +242,9 @@ table inet filter {
 	}
 }
 
-table inet nat {
+table inet mangle {
 	chain prerouting {
-		type nat hook prerouting priority -100;
+		type filter hook prerouting priority -150;
 
 		# CT INVALID
 		ct state invalid counter drop
@@ -283,3 +280,7 @@ If you think that something is definitely missing (or wrong !), please feel free
 * [paulgorman.org/technical — nftables](https://paulgorman.org/technical/linux-nftables.txt.html)
 
 * [Netfilter’s connection tracking system](https://people.netfilter.org/pablo/docs/login.pdf)
+
+### Acknowledgments
+
+* Thanks to [Timo](#isso-56) for their improvement of `conntrack`-based hardening rules