diff --git a/roles/common/templates/nftables.conf.j2 b/roles/common/templates/nftables.conf.j2
index 65bd30e..06f70c8 100755
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@@ -48,7 +48,29 @@ table inet filter {
         ip6 nexthdr ipv6-icmp limit rate 4/second accept
         ip protocol igmp limit rate 4/second accept
 
-        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
 
         # everything else
         reject with icmpx type port-unreachable