diff --git a/tasks/plain-iptables.yml b/tasks/plain-iptables.yml
index 3fee184..87e102d 100644
--- a/tasks/plain-iptables.yml
+++ b/tasks/plain-iptables.yml
@@ -39,6 +39,18 @@
       - ansible_distribution_major_version >= '16'
     register: install_netfilter_rules
 
+  - name: Load the nf_conntrack_ftp module when FTP is enabled
+    ansible.builtin.modprobe:
+      name: nf_conntrack_ftp
+      state: present
+    when: vsftpd_iptables_rules is defined and vsftpd_iptables_rules
+
+  - name: Load the nf_conntrack_tftp module when TFTP is enabled
+    ansible.builtin.modprobe:
+      name: nf_conntrack_tftp
+      state: present
+    when: tftp_server_iptables_rules is defined and tftp_server_iptables_rules
+
   - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
     service: name=iptables-persistent state=restarted enabled=yes
     register: restart_related_t
diff --git a/templates/iptables-rules.v4.j2 b/templates/iptables-rules.v4.j2
index 4f98a4d..d7426dc 100644
--- a/templates/iptables-rules.v4.j2
+++ b/templates/iptables-rules.v4.j2
@@ -233,6 +233,14 @@
 -A INPUT -m helper --helper ftp -j ACCEPT
 {% endif %}
 {% endif %}
+{% if tftp_server_iptables_rules is defined and tftp_server_iptables_rules %}
+# TFTP service
+{% for ip in tftp_server_iptables_allowed %}
+-A INPUT -m state --state NEW -p udp -s {{ ip }} --dport tftp -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -p udp -s {{ ip }} -j ACCEPT
+{% endfor %}
+-A INPUT -m helper --helper tftp -j ACCEPT
+{% endif %}
 #
 # TODO: add the rules that block traffic from now on
 #