diff --git a/roles/net-overlay/templates/firewall/11net-overlay.j2 b/roles/net-overlay/templates/firewall/11net-overlay.j2
index 7e86d4f1f79ee78e19db84f83c6aca72a00e3704..9bc7d341d6c5ba5b8638b2a15388de099cae03b9 100644
--- a/roles/net-overlay/templates/firewall/11net-overlay.j2
+++ b/roles/net-overlay/templates/firewall/11net-overlay.j2
@@ -26,6 +26,11 @@ add_rule4 -A base-input -i {{ tinc_net }} -j vpn-{{ tinc_net }}-input
 {% for port in services[s].get('ports', []) %}
 add_rule -A vpn-{{ tinc_net }}-input -p tcp --dport {{ port }} -j ACCEPT
 {% endfor %}
+{% for container in services[s].get('containers', []) %}
+{% if 'port' in container %}
+add_rule -A vpn-{{ tinc_net }}-input -p tcp --dport {{ container.port }} -j ACCEPT
+{% endif %}
+{% endfor %}
 {% for ep in services[s].get('public_endpoints', []) %}
 add_rule -A vpn-{{ tinc_net }}-input -p tcp --dport {{ ep.port }} -j ACCEPT
 {% endfor %}