diff --git a/roles/alpine/handlers/main.yml b/roles/alpine/handlers/main.yml
index 8d1e648..c215f94 100644
--- a/roles/alpine/handlers/main.yml
+++ b/roles/alpine/handlers/main.yml
@@ -4,6 +4,12 @@
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
 
+- name: reload nftables
+  service:
+    name: nftables
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
+
 - name: update package cache
   package:
     update_cache: true
diff --git a/roles/alpine/tasks/main.yml b/roles/alpine/tasks/main.yml
index d61a44a..b590034 100644
--- a/roles/alpine/tasks/main.yml
+++ b/roles/alpine/tasks/main.yml
@@ -30,6 +30,18 @@
       value: 'prohibit-password'
   notify: reload sshd
 
+- name: Set up firewall
+  template:
+    dest: /etc/nftables.d/local.nft
+    src: local.nft.j2
+  notify: reload nftables
+
+- name: Enable firewall
+  service:
+    name: nftables
+    enabled: yes
+    state: started
+
 - name: Enable QEMU guest agent
   when: is_virtual
   block:
diff --git a/roles/alpine/templates/local.nft.j2 b/roles/alpine/templates/local.nft.j2
new file mode 100644
index 0000000..ad84ef6
--- /dev/null
+++ b/roles/alpine/templates/local.nft.j2
@@ -0,0 +1,24 @@
+table inet filter {
+    chain input {
+        tcp dport ssh accept
+
+{% for service in services %}
+{% set prefixes = service | allowed_prefixes %}
+{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
+{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
+{% set ports = service.ports | compact_numlist %}
+        # service {{ service.name }}
+{% if prefixes4 or prefixes6 %}
+{% if prefixes4 %}
+        ip saddr { {{ prefixes4 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+{% if prefixes6 %}
+        ip6 saddr { {{ prefixes6 | join(', ') }} } tcp dport { {{ ports }} } accept
+{% endif %}
+{% else %}
+        tcp dport { {{ ports }} } accept
+{% endif %}
+
+{% endfor %}
+    }
+}