diff --git a/inventory/group_vars/bvirthost b/inventory/group_vars/bvirthost
new file mode 100644
index 0000000000..d7aff060d9
--- /dev/null
+++ b/inventory/group_vars/bvirthost
@@ -0,0 +1,2 @@
+---
+virthost: true
diff --git a/inventory/group_vars/virthost b/inventory/group_vars/virthost
new file mode 100644
index 0000000000..d7aff060d9
--- /dev/null
+++ b/inventory/group_vars/virthost
@@ -0,0 +1,2 @@
+---
+virthost: true
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 8ad12f42cc..97160bdbce 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -54,5 +54,9 @@
 
 # otherwise kick everything out
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
+{% if virthost is defined %}
+-A FORWARD -j ACCEPT
+{% else %}
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+{% endif %}
 COMMIT