diff --git a/playbook.yml b/playbook.yml
index 7a6bc58..9e0b8ee 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -29,3 +29,4 @@
     - 'vars/syncthing.yml'
     - 'vars/mpd.yml'
     - 'vars/radicale.yml'
+    - 'vars/jellyfin.yml'
diff --git a/templates/nftables.j2 b/templates/nftables.j2
index 70e57cc..05e0099 100644
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@@ -32,5 +32,11 @@ table ip filter {
     iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD"
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
+
+    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"
+
+    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery"
+
+    iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery"
   }
 }
diff --git a/vars/jellyfin.yml b/vars/jellyfin.yml
new file mode 100644
index 0000000..4445d1d
--- /dev/null
+++ b/vars/jellyfin.yml
@@ -0,0 +1,3 @@
+jellyfin_http_port: 8096
+jellyfin_service_port: 1900
+jellyfin_client_port: 7359