diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index c93e56d318..ded107144c 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -24,8 +24,14 @@
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 
-# ban staging from non-staging hosts
-{% if env != 'staging' and inventory_hostname not in groups['staging-friendly'] %}
+#
+# In the phx2 datacenter, both production and staging hosts are in the same 
+# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# to prevent them from interfering with production. There are however a few hosts in 
+# production we have marked 'staging-friendly' that we do allow staging to talk to for 
+# mostly read-only data they need.
+#
+{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 {% for host in groups['staging'] %}
 {% if 'eth0_ip' in hostvars[host] %}# {{ host }}
 -A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited