diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging
index 5fc0cfa4cf..fbd082e4ff 100644
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@@ -36,6 +36,12 @@ COMMIT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
+{% endfor %}
+{% endif %}
 
 # if the host/group defines incoming tcp_ports - allow them
 {% for port in tcp_ports %}