diff --git a/defaults/main.yml b/defaults/main.yml
index a5c2cc1..2cda92e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,3 +5,5 @@ wireguard_listenport: 51820
 wireguard_peers: []
 wireguard_ipv4_forward: true
 wireguard_ipv6_forward: true
+wireguard_nftables_services_allow:
+  - ssh
diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
index 36ba357..4071c44 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -11,7 +11,7 @@ table inet filter {
     ct state established,related accept
     ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
     ip protocol icmp icmp type echo-request accept
-    tcp dport { ssh } ct state new accept
+    tcp dport { {{ wireguard_nftables_services_allow_tcp | join(', ')}} } ct state new accept
     udp dport { {{ wireguard_listenport }} } ct state new accept
     counter drop
   }