diff --git a/files/iptables/iptables b/files/iptables/iptables
deleted file mode 100644
index 43e2190f01..0000000000
--- a/files/iptables/iptables
+++ /dev/null
@@ -1,46 +0,0 @@
-# {{ ansible_managed }}
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-
-# if the host/group defines incoming tcp_ports - allow them
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-
-# if there are custom rules - put them in as-is
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/files/iptables/iptables.sign b/files/iptables/iptables.sign
deleted file mode 100644
index f213e8855b..0000000000
--- a/files/iptables/iptables.sign
+++ /dev/null
@@ -1,14 +0,0 @@
-# {{ ansible_managed }}
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
--A INPUT -p icmp -j ACCEPT 
--A INPUT -i lo -j ACCEPT 
-# Allow connections from client/server
--A INPUT -p tcp -m tcp --dport 44333:44334 -j ACCEPT 
--A INPUT -j REJECT --reject-with icmp-host-prohibited 
--A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-COMMIT
-
diff --git a/files/iptables/iptables.staging b/files/iptables/iptables.staging
deleted file mode 100644
index 5fc0cfa4cf..0000000000
--- a/files/iptables/iptables.staging
+++ /dev/null
@@ -1,58 +0,0 @@
-# {{ ansible_managed }}
-*nat
-:PREROUTING ACCEPT []
-:POSTROUTING ACCEPT []
-:OUTPUT ACCEPT []
-
-# Redirect staging attempts to talk to the external proxy to an internal ip.
-# This is primarily for openid in staging which needs to get around proxy
-# redirects.
--A OUTPUT -d 209.132.181.5 -j DNAT --to-destination 10.5.126.88
-
-COMMIT
-
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-
-# if the host/group defines incoming tcp_ports - allow them
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-
-# if there are custom rules - put them in as-is
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
index 517c06fb4f..1434578b2b 100644
--- a/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
@@ -26,7 +26,6 @@
 
   tasks:
   - include: "{{ tasks }}/cloud_setup_basic.yml"
-  - include: "{{ tasks }}/iptables.yml"
   - name: mount up blockerbugs-dev to /srv/persistent
     mount: name=/srv/persistent src='LABEL=blockerbugs-dev' fstype=ext4 state=mounted
 
diff --git a/roles/base/templates/iptables/iptables.serverbeach06.fedoraproject.org b/roles/base/templates/iptables/iptables.serverbeach06.fedoraproject.org
deleted file mode 100644
index c7542a13e9..0000000000
--- a/roles/base/templates/iptables/iptables.serverbeach06.fedoraproject.org
+++ /dev/null
@@ -1,83 +0,0 @@
-# {{ ansible_managed }}
-*nat
-:PREROUTING ACCEPT [7058:343124]
-:INPUT ACCEPT [14:880]
-:OUTPUT ACCEPT [3:224]
-:POSTROUTING ACCEPT [428:23328]
-# dnat and snat everything to the internal virt host
-#-A PREROUTING -d guest_ip/32 -j DNAT --to-destination 192.168.122.2
-#-A POSTROUTING -s 192.168.122.2/32 -j SNAT --to-source guest_ip
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
-#
-# In the phx2 datacenter, both production and staging hosts are in the same 
-# subnet/vlan. We want production hosts to reject connectons from staging group hosts
-# to prevent them from interfering with production. There are however a few hosts in 
-# production we have marked 'staging-friendly' that we do allow staging to talk to for 
-# mostly read-only data they need.
-#
-{% for host in groups['staging'] %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming tcp_ports - allow them
-{% if tcp_ports is defined %}
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% if udp_ports is defined %}
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if there are custom rules - put them in as-is
-{% if custom_rules is defined %}
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-{% endif %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-
-# source and dest of the guest ip we forward into the guest
-#-A FORWARD -d guest_ip/32 -j ACCEPT
-#-A FORWARD -s guest_ip/32 -j ACCEPT
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/roles/base/templates/iptables/iptables.serverbeach07.fedoraproject.org b/roles/base/templates/iptables/iptables.serverbeach07.fedoraproject.org
deleted file mode 100644
index 94e4b401b3..0000000000
--- a/roles/base/templates/iptables/iptables.serverbeach07.fedoraproject.org
+++ /dev/null
@@ -1,79 +0,0 @@
-# {{ ansible_managed }}
-*nat
-:PREROUTING ACCEPT [7058:343124]
-:INPUT ACCEPT [14:880]
-:OUTPUT ACCEPT [3:224]
-:POSTROUTING ACCEPT [428:23328]
-# dnat and snat everything to the internal virt host
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
-#
-# In the phx2 datacenter, both production and staging hosts are in the same 
-# subnet/vlan. We want production hosts to reject connectons from staging group hosts
-# to prevent them from interfering with production. There are however a few hosts in 
-# production we have marked 'staging-friendly' that we do allow staging to talk to for 
-# mostly read-only data they need.
-#
-{% for host in groups['staging'] %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming tcp_ports - allow them
-{% if tcp_ports is defined %}
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% if udp_ports is defined %}
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if there are custom rules - put them in as-is
-{% if custom_rules is defined %}
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-{% endif %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-
-# source and dest of the guest ip we forward into the guest
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/roles/base/templates/iptables/iptables.serverbeach08.fedoraproject.org b/roles/base/templates/iptables/iptables.serverbeach08.fedoraproject.org
deleted file mode 100644
index c7542a13e9..0000000000
--- a/roles/base/templates/iptables/iptables.serverbeach08.fedoraproject.org
+++ /dev/null
@@ -1,83 +0,0 @@
-# {{ ansible_managed }}
-*nat
-:PREROUTING ACCEPT [7058:343124]
-:INPUT ACCEPT [14:880]
-:OUTPUT ACCEPT [3:224]
-:POSTROUTING ACCEPT [428:23328]
-# dnat and snat everything to the internal virt host
-#-A PREROUTING -d guest_ip/32 -j DNAT --to-destination 192.168.122.2
-#-A POSTROUTING -s 192.168.122.2/32 -j SNAT --to-source guest_ip
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
-#
-# In the phx2 datacenter, both production and staging hosts are in the same 
-# subnet/vlan. We want production hosts to reject connectons from staging group hosts
-# to prevent them from interfering with production. There are however a few hosts in 
-# production we have marked 'staging-friendly' that we do allow staging to talk to for 
-# mostly read-only data they need.
-#
-{% for host in groups['staging'] %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming tcp_ports - allow them
-{% if tcp_ports is defined %}
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% if udp_ports is defined %}
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if there are custom rules - put them in as-is
-{% if custom_rules is defined %}
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-{% endif %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-
-# source and dest of the guest ip we forward into the guest
-#-A FORWARD -d guest_ip/32 -j ACCEPT
-#-A FORWARD -s guest_ip/32 -j ACCEPT
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/roles/base/templates/iptables/iptables.serverbeach09.fedoraproject.org b/roles/base/templates/iptables/iptables.serverbeach09.fedoraproject.org
deleted file mode 100644
index 634981d242..0000000000
--- a/roles/base/templates/iptables/iptables.serverbeach09.fedoraproject.org
+++ /dev/null
@@ -1,81 +0,0 @@
-# {{ ansible_managed }}
-*nat
-:PREROUTING ACCEPT [7058:343124]
-:INPUT ACCEPT [14:880]
-:OUTPUT ACCEPT [3:224]
-:POSTROUTING ACCEPT [428:23328]
-# dnat and snat everything to the internal virt host
--A PREROUTING -d 69.174.247.243/32 -j DNAT --to-destination 192.168.122.3
--A POSTROUTING -s 192.168.122.3/32 -j SNAT --to-source 69.174.247.243
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
--A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-COMMIT
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh - always
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
-#
-# In the phx2 datacenter, both production and staging hosts are in the same 
-# subnet/vlan. We want production hosts to reject connectons from staging group hosts
-# to prevent them from interfering with production. There are however a few hosts in 
-# production we have marked 'staging-friendly' that we do allow staging to talk to for 
-# mostly read-only data they need.
-#
-{% for host in groups['staging'] %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming tcp_ports - allow them
-{% if tcp_ports is defined %}
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% if udp_ports is defined %}
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if there are custom rules - put them in as-is
-{% if custom_rules is defined %}
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-{% endif %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-
-# source and dest of the guest ip we forward into the guest
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/tasks/iptables.yml b/tasks/iptables.yml
deleted file mode 100644
index cd00909659..0000000000
--- a/tasks/iptables.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# IF YOU ARE USING $tasks/base.yml this is redundant 
-# this is split out only for some of the cloud boxes
-
-- name: install iptables if not installed
-  yum: name=iptables state=present
-  when: ansible_distribution == 'RedHat'
-  tags:
-  - iptables
-  - packages
-
-- name: install iptables-services if not installed
-  yum: name=iptables-services state=present
-  when: ansible_distribution == 'Fedora'
-  tags:
-  - iptables
-  - packages
-
-- name: iptables service enabled
-  service: name=iptables state=running enabled=true
-  tags:
-  - iptables
-  - service
-
-- name: iptables
-  template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 backup=yes
-  with_first_found:
-    - "{{ iptables }}"
-    - "{{ files }}/iptables/iptables.{{ ansible_fqdn }}"
-    - "{{ files }}/iptables/iptables.{{ host_group }}"
-    - "{{ files }}/iptables/iptables.{{ env }}"
-    - "{{ files }}/iptables/iptables"
-  notify:
-  - restart iptables
-  tags:
-  - iptables
-  - config