diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 9f2ee5b8bf..7a7b67e89d 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -30,6 +30,7 @@ fas_aliases: true
 #
 fasjson_aliases: false
 fasjson_url: https://fasjson.fedoraproject.org/
+host_group: bastion
 ipa_client_shell_groups:
   - pungi-devel
   - sysadmin-analysis
diff --git a/roles/base/templates/iptables/iptables.bastion b/roles/base/templates/iptables/iptables.bastion
new file mode 100644
index 0000000000..d7f0576ff8
--- /dev/null
+++ b/roles/base/templates/iptables/iptables.bastion
@@ -0,0 +1,153 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 38.145.60.16 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 38.145.60.15 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT
+# zabbix01
+-A INPUT -p tcp -m tcp --dport 10051 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 10050 -s 10.3.163.198 -j ACCEPT
+
+{% if env != 'staging' and datacenter == 'iad2' and inventory_hostname not in groups['staging_friendly'] %}
+#
+# In the iad2 datacenter, both production and staging hosts are in different
+# vlans, and different subnets. However, just as a precaution, we want prod machines to
+# reject connections from any staging host just in case there's some globally enabled port.
+# There are however a few hosts in production we have marked 'staging-friendly'
+# that we do allow staging to talk to for mostly read-only data they need.
+#
+-A INPUT -s 10.3.166.0/24 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.3.167.0/24 -j REJECT --reject-with icmp-host-prohibited
+{% endif %}
+
+{% if vpn %}
+#
+# We want to have all vpn hosts reject most things from the 'less secure' vpn network
+#
+{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %}
+# Allow all vpn hosts to talk to the log server for rsyslog
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 514 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 25826 -j ACCEPT
+{% endif %}
+{% if inventory_hostname in groups['ipa'] %}
+# Allow all vpn hosts to talk to the ipa servers for auth
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 88 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 389 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 464 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 636 -j ACCEPT
+
+-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 88 -j ACCEPT
+-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 464 -j ACCEPT
+{% endif %}
+# Reject all further connections from less secure vpn
+-A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited
+{% endif %}
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# smtp rules we want to allow vpn and out internal networks and mimecast
+-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT
+# mimecast ips from
+# https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
+-A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 170.10.133.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 170.10.128.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 170.10.129.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 170.10.130.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 170.10.131.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 207.211.31.0/25 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 207.211.30.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 205.139.110.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 205.139.111.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 216.205.24.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 63.128.21.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+ 
+IP Addresses / Network Ranges for Non-SPF Email Traffic
+
+Where messages are being sent from accounts with envelope addresses not registered as internal domains, Mimecast routes through separate ranges. 
+Region		
+ United States of America (US-Grid)	207.211.30.40	to	207.211.30.49	205.139.111.40	to	205.139.111.49
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are any proxy-only tcp_ports - allow them
+{% if proxy_tcp_ports is defined %}
+{% for port in proxy_tcp_ports %}
+{% for proxy in (groups['proxies'] + groups['proxies_internal']) %}
+{% if hostvars[proxy]['datacenter'] == "phx2" and 'ansible_eth0' in hostvars[proxy] %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} -j ACCEPT
+{% else %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} -j ACCEPT
+{% endif %}
+{% endfor %}
+# nagios
+-A INPUT -p tcp -m tcp --dport {{ port }} --src  10.3.163.10 -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if custom_rules is defined %}
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+
+{% if nat_rules %}
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}