diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables
index 49db2f7851..e3dba2ac03 100644
--- a/roles/base/templates/iptables/ip6tables
+++ b/roles/base/templates/iptables/ip6tables
@@ -20,6 +20,12 @@
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
+{% if inventory_hostname in groups['proxies'] %}
+{% for friend in friends6 %}
+-A INPUT --src {{ friend }} -j DROP
+{% endfor %}
+{% endif %}
+
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 9f2a082139..cf49cdf411 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -25,7 +25,7 @@
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 
 {% if inventory_hostname in groups['proxies'] %}
-{% for friend in friends %}
+{% for friend in friends4 %}
 -A INPUT --src {{ friend }} -j DROP
 {% endfor %}
 {% endif %}