diff --git a/manifests/init.pp b/manifests/init.pp
index c3fbf88..d6bab5c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -9,6 +9,12 @@
 #          eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
 #   public_tcp_ports: List of integer TCP ports on which to allow all traffic
 #   public_udp_ports: List of integer UDP ports on which to allow all traffic
+#   allowed_hosts: An array of hashes in the form:
+#      hostname => str
+#      port => int
+#      protocol => 'udp' or 'tcp'
+#   All entries in allowed_hosts will be resolved to ip addresses and added as
+#   additional ACCEPT rules
 class iptables(
   $rules4           = [],
   $rules6           = [],
@@ -16,6 +22,7 @@ class iptables(
   $public_udp_ports = [],
   $snmp_v4hosts     = [],
   $snmp_v6hosts     = [],
+  $allowed_hosts    = [],
 ) {
 
   include ::iptables::params
diff --git a/metadata.json b/metadata.json
index ef93b9e..a8c4a64 100644
--- a/metadata.json
+++ b/metadata.json
@@ -7,5 +7,7 @@
   "source": "git://git.openstack.org/openstack-infra/puppet-iptables.git",
   "project_page": "http://docs.openstack.org/infra/system-config/",
   "issues_url": "https://storyboard.openstack.org/#!/project/770",
-  "dependencies": []
+  "dependencies": [
+    {"name":"dalen/dnsquery","version_requirement":"2.0.1"}
+  ]
 }
diff --git a/templates/rules.erb b/templates/rules.erb
index e427df9..1056b9f 100644
--- a/templates/rules.erb
+++ b/templates/rules.erb
@@ -26,5 +26,10 @@
 <% @rules4.each do |rule| -%>
 -A openstack-INPUT <%= rule %>
 <% end -%>
+<% @allowed_hosts.each do |host| -%>
+<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%>
+-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
+<% end -%>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT
diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb
index d54a1f3..e6f195e 100644
--- a/templates/rules.v6.erb
+++ b/templates/rules.v6.erb
@@ -25,5 +25,10 @@
 <% @rules6.each do |rule| -%>
 -A openstack-INPUT <%= rule %>
 <% end -%>
+<% @allowed_hosts.each do |host| -%>
+<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%>
+-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
+<% end -%>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT