diff --git a/deploy-nftables b/deploy-nftables
new file mode 100755
index 0000000..a90787d
--- /dev/null
+++ b/deploy-nftables
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+. ssh.sh
+
+for host in ${hosts_all[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
+    sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]} / 64 ))/g" tmp
+    sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp
+    sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp
+    rsync tmp $remote:/etc/nftables.conf
+    rm tmp
+    ssh $remote systemctl enable --now nftables.service
+done