diff --git a/inventory/host_vars/pagure-proxy01.fedoraproject.org b/inventory/host_vars/pagure-proxy01.fedoraproject.org
index de9dda3f3c..9eba1ec977 100644
--- a/inventory/host_vars/pagure-proxy01.fedoraproject.org
+++ b/inventory/host_vars/pagure-proxy01.fedoraproject.org
@@ -3,7 +3,7 @@ nm: 255.255.255.128
 gw: 152.19.134.129
 dns: 8.8.8.8
 
-custom_rules: [
+nat_rules: [
 	'-t nat -A PREROUTING --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
 	'-t nat -A POSTROUTING -p tcp --dst 140.211.169.204 --dport 22 -j SNAT --to-source 152.19.134.147',
 	'-t nat -A OUTPUT --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22']
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 0e2f4178ce..7efd6202cc 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -110,3 +110,14 @@
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
+
+{%- if nat_rules %}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}