diff --git a/nodepool/elements/infra-package-needs/pkg-map b/nodepool/elements/infra-package-needs/pkg-map
index b0fe717112..885d475778 100644
--- a/nodepool/elements/infra-package-needs/pkg-map
+++ b/nodepool/elements/infra-package-needs/pkg-map
@@ -36,7 +36,7 @@
       "puppet": "ruby2.1-rubygem-puppet",
       "python-dev": "python-devel",
       "python3-dev": "python3-devel",
-      "iptables": "iptables",
+      "iptables": "iptables SuSEfirewall2",
       "uuid-runtime": "uuidd"
     }
   },
diff --git a/nodepool/elements/nodepool-base/install.d/20-iptables b/nodepool/elements/nodepool-base/install.d/20-iptables
index 7f5751c3b2..7b171c28a8 100755
--- a/nodepool/elements/nodepool-base/install.d/20-iptables
+++ b/nodepool/elements/nodepool-base/install.d/20-iptables
@@ -28,6 +28,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
     rules_dir=/etc/sysconfig
     ipv4_rules=${rules_dir}/iptables
     ipv6_rules=${rules_dir}/ip6tables
+elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
+    rules_dir=/etc/sysconfig
+    ipv4_rules=${rules_dir}/iptables
+    ipv6_rules=${rules_dir}/ip6tables
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1
@@ -82,3 +86,15 @@ cat > $ipv6_rules << EOF
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
 EOF
+
+if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
+    sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
+
+    cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
+fw_custom_after_finished() {
+    /usr/sbin/iptables-restore $ipv4_rules
+    /usr/sbin/ip6tables-restore $ipv6_rules
+}
+EOF
+
+fi
diff --git a/nodepool/elements/nodepool-base/post-install.d/20-iptables b/nodepool/elements/nodepool-base/post-install.d/20-iptables
index 526f458ecf..1b65e08a6d 100755
--- a/nodepool/elements/nodepool-base/post-install.d/20-iptables
+++ b/nodepool/elements/nodepool-base/post-install.d/20-iptables
@@ -28,6 +28,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
     fi
 elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
     service_name=iptables
+elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
+    service_name=SuSEfirewall2
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1