diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix
index 52f20249..ebf160c3 100644
--- a/hosts/sobotka/default.nix
+++ b/hosts/sobotka/default.nix
@@ -44,6 +44,17 @@ in {
   networking = {
     hostName = "sobotka";
     domain = "cnst.dev";
+    firewall.extraCommands = ''
+      # Allow LAN access to Deluge Web UI
+      nft add rule inet filter input ip saddr 192.168.88.0/24 tcp dport 8112 accept
+
+      # Allow LAN access to Deluge daemon and torrent port
+      nft add rule inet filter input ip saddr 192.168.88.0/24 udp dport { 58846, 6881 } accept
+
+      # Block all other access to those ports
+      nft add rule inet filter input tcp dport 8112 drop
+      nft add rule inet filter input udp dport { 58846, 6881 } drop
+    '';
   };
 
   powerManagement.enable = false;
diff --git a/modules/server/deluge/default.nix b/modules/server/deluge/default.nix
index 34c45473..0fed696b 100644
--- a/modules/server/deluge/default.nix
+++ b/modules/server/deluge/default.nix
@@ -47,8 +47,8 @@ in {
         autoStart = true;
         dependsOn = ["gluetun"];
         ports = [
-          "8112:8112"
-          "6881:6881"
+          "192.168.88.14:8112:8112"
+          "192.168.88.14:58846:58846"
         ];
         extraOptions = [
           "--network=container:gluetun"