diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja
index b9773d448..77f6ef012 100644
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -91,7 +91,9 @@ COMMIT
 {%- endfor %}
 
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
@@ -101,6 +103,10 @@ COMMIT
 -A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT
 -A FORWARD -i sosbridge -o sosbridge -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
 {%- for rule in D2 %}
@@ -112,6 +118,7 @@ COMMIT
 -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
 -A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING
 -A DOCKER-USER -j RETURN
 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
 -A LOGGING -j DROP