diff --git a/nodepool/elements/nodepool-base/install.d/20-iptables b/nodepool/elements/nodepool-base/install.d/20-iptables
new file mode 100755
index 0000000000..7f5751c3b2
--- /dev/null
+++ b/nodepool/elements/nodepool-base/install.d/20-iptables
@@ -0,0 +1,84 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+#
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# dib-lint: disable=setu setpipefail
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -e
+
+if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
+    rules_dir=/etc/iptables
+    ipv4_rules=${rules_dir}/rules.v4
+    ipv6_rules=${rules_dir}/rules.v6
+elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
+    rules_dir=/etc/sysconfig
+    ipv4_rules=${rules_dir}/iptables
+    ipv6_rules=${rules_dir}/ip6tables
+else
+    echo "Unsupported operating system $DISTRO_NAME"
+    exit 1
+fi
+
+mkdir -p $rules_dir
+
+cat > $ipv4_rules << EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
+#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
+# Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
+# the ironic API from the neutron public net
+-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
+-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
+# Ports 8000, 8003, 8004 from the devstack neutron public net to allow
+# nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
+-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
+-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
+-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
+-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+ln -s ${ipv4_rules} ${rules_dir}/rules
+
+cat > $ipv6_rules << EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p ipv6-icmp -j ACCEPT
+-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+# Public TCP ports
+-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
+EOF
diff --git a/nodepool/elements/nodepool-base/post-install.d/20-iptables b/nodepool/elements/nodepool-base/post-install.d/20-iptables
new file mode 100755
index 0000000000..526f458ecf
--- /dev/null
+++ b/nodepool/elements/nodepool-base/post-install.d/20-iptables
@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+#
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# dib-lint: disable=setu setpipefail
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -e
+
+if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
+    if [[ "$DIB_RELEASE" == 'trusty' ]] ; then
+        service_name=iptables-persistent
+    else
+        service_name=netfilter-persistent
+    fi
+elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
+    service_name=iptables
+else
+    echo "Unsupported operating system $DISTRO_NAME"
+    exit 1
+fi
+
+case "$DIB_INIT_SYSTEM" in
+    upstart)
+        # nothing to do
+        ;;
+    systemd)
+        systemctl enable ${service_name}.service
+        if [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
+            systemctl enable ip6tables.service
+        fi
+        ;;
+    *)
+        echo "Unsupported init system $DIB_INIT_SYSTEM"
+        exit 1
+        ;;
+esac
+