diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf
index 83bf07f..c39e8be 100644
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@@ -14,6 +14,13 @@ table inet filter {
 
         iif lo accept
 
+% for address in sorted(blocked_v4):
+        ip saddr ${address} drop
+% endfor
+% for address in sorted(blocked_v6):
+        ip6 saddr ${address} drop
+% endfor
+
         icmp type timestamp-request drop
         icmp type timestamp-reply drop
         ip protocol icmp accept
diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py
index 96eebcf..9bbe11f 100644
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@@ -17,6 +17,8 @@ files = {
     '/etc/nftables.conf': {
         'content_type': 'mako',
         'context': {
+            'blocked_v4': node.metadata.get('nftables/blocked_v4', set()),
+            'blocked_v6': node.metadata.get('nftables/blocked_v6', set()),
             'forward': node.metadata.get('nftables/forward', {}),
             'input': node.metadata.get('nftables/input', {}),
             'postrouting': node.metadata.get('nftables/postrouting', {}),