diff --git a/inventory/inventory b/inventory/inventory
index f7a14f1a86..42d7456602 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -474,6 +474,15 @@ tagger01.stg.phx2.fedoraproject.org
 value01.stg.phx2.fedoraproject.org
 wiki01.stg.phx2.fedoraproject.org
 
+# This is a list of hosts that are a little "friendly" with staging.
+# They are exempted from the iptables wall between staging and prod.
+# For instance, staging needs to send collectd logs to log01 and smtp mail data
+# to bastion (both of which are prod boxen).
+[staging-friendly]
+bastion01.phx2.fedoraproject.org
+bastion02.phx2.fedoraproject.org
+log01.phx2.fedoraproject.org
+
 [summershum]
 summershum01.phx2.fedoraproject.org
 
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index d00ed54c1f..3d31a918e1 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -31,7 +31,7 @@
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 
 # ban staging from non-staging hosts
-{% if env != 'staging' %}
+{% if env != 'staging' and inventory_hostname not in groups['staging-friendly'] %}
 {% for host in groups['staging'] %}
 {% if 'eth0_ip' in hostvars[host] %}# {{ host }}
 -A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited