diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 900ac8501d..372c347ded 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -24,6 +24,7 @@
   - { role: iscsi_client, when: datacenter == "phx2" }
   - sudo
   - { role: openvpn/client, when: datacenter != "phx2" }
+  - { role: pam_shield, when: datacenter != "phx2" }
 
   tasks:
   - include: "{{ tasks }}/yumrepos.yml"
diff --git a/roles/base/templates/iptables/iptables.coloamer b/roles/base/templates/iptables/iptables.coloamer
deleted file mode 100644
index d2701a91a5..0000000000
--- a/roles/base/templates/iptables/iptables.coloamer
+++ /dev/null
@@ -1,68 +0,0 @@
-# {{ ansible_managed }}
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
-# allow ping and traceroute
--A INPUT -p icmp -j ACCEPT
-
-# localhost is fine
--A INPUT -i lo -j ACCEPT
-
-# Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-# allow ssh only from needed ips
-# vpn in from tun0
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 192.168.0.0/24 -i tun0 -j ACCEPT
-# external ip for phx2
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 209.132.181.0/24 -j ACCEPT
-# external ip for scrye
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 75.148.32.185 -j ACCEPT
-
-# for fireball mode - allow port 5099 from lockbox and it's ips
--A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
-
-# for nrpe - allow it from nocs
--A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-# FIXME - this is the global nat-ip and we need the noc01-specific ip
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-
-
-# if the host/group defines incoming tcp_ports - allow them
-{% if tcp_ports is defined %}
-{% for port in tcp_ports %}
--A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if the host/group defines incoming udp_ports - allow them
-{% if udp_ports is defined %}
-{% for port in udp_ports %}
--A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
-{% endfor %}
-{% endif %}
-
-# if there are custom rules - put them in as-is
-{% if custom_rules is defined %}
-{% for rule in custom_rules %}
-{{ rule }}
-{% endfor %}
-{% endif %}
-
-# otherwise kick everything out
--A INPUT -j REJECT --reject-with icmp-host-prohibited
-{% if virthost is defined %}
--A FORWARD -s 67.203.2.64/29 -j ACCEPT
--A FORWARD -d 67.203.2.64/29 -j ACCEPT
-{% else %}
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-COMMIT