diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja
new file mode 100644
index 000000000..68f3f4ea7
--- /dev/null
+++ b/salt/firewall/iptables.jinja
@@ -0,0 +1,306 @@
+{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
+{% from 'firewall/map.jinja' import hostgroups with context %}
+{% from 'firewall/map.jinja' import assigned_hostgroups with context %}
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_ZONES - [0:0]
+:POSTROUTING_ZONES_SOURCE - [0:0]
+:POSTROUTING_direct - [0:0]
+:POST_docker - [0:0]
+:POST_docker_allow - [0:0]
+:POST_docker_deny - [0:0]
+:POST_docker_log - [0:0]
+:POST_public - [0:0]
+:POST_public_allow - [0:0]
+:POST_public_deny - [0:0]
+:POST_public_log - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_docker - [0:0]
+:PRE_docker_allow - [0:0]
+:PRE_docker_deny - [0:0]
+:PRE_docker_log - [0:0]
+:PRE_public - [0:0]
+:PRE_public_allow - [0:0]
+:PRE_public_deny - [0:0]
+:PRE_public_log - [0:0]
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT -j OUTPUT_direct
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s {{DOCKER.range}} ! -o sosnet -j MASQUERADE
+-A POSTROUTING -j POSTROUTING_direct
+-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
+-A POSTROUTING -j POSTROUTING_ZONES
+
+{%- for container in NODE_CONTAINERS %}
+{%-   for port, proto in DOCKER.containers[container].ports.items() %}
+-A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE
+{%-   endfor %}
+{%- endfor %}
+-A DOCKER -i sosnet -j RETURN
+{%- for container in NODE_CONTAINERS %}
+{%-   for port, proto in DOCKER.containers[container].ports.items() %}
+-A DOCKER ! -i sosnet -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}}
+{%-   endfor %}
+{%- endfor %}
+
+-A POSTROUTING_ZONES -o sosnet -g POST_docker
+-A POSTROUTING_ZONES -o bond0 -g POST_public
+-A POSTROUTING_ZONES -o eth1 -g POST_public
+-A POSTROUTING_ZONES -o eth0 -g POST_public
+-A POSTROUTING_ZONES -g POST_public
+-A POST_docker -j POST_docker_log
+-A POST_docker -j POST_docker_deny
+-A POST_docker -j POST_docker_allow
+-A POST_public -j POST_public_log
+-A POST_public -j POST_public_deny
+-A POST_public -j POST_public_allow
+-A PREROUTING_ZONES -i sosnet -g PRE_docker
+-A PREROUTING_ZONES -i bond0 -g PRE_public
+-A PREROUTING_ZONES -i eth1 -g PRE_public
+-A PREROUTING_ZONES -i eth0 -g PRE_public
+-A PREROUTING_ZONES -g PRE_public
+-A PRE_docker -j PRE_docker_log
+-A PRE_docker -j PRE_docker_deny
+-A PRE_docker -j PRE_docker_allow
+-A PRE_public -j PRE_public_log
+-A PRE_public -j PRE_public_deny
+-A PRE_public -j PRE_public_allow
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_docker - [0:0]
+:PRE_docker_allow - [0:0]
+:PRE_docker_deny - [0:0]
+:PRE_docker_log - [0:0]
+:PRE_public - [0:0]
+:PRE_public_allow - [0:0]
+:PRE_public_deny - [0:0]
+:PRE_public_log - [0:0]
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A INPUT -j INPUT_direct
+-A FORWARD -j FORWARD_direct
+-A OUTPUT -j OUTPUT_direct
+-A POSTROUTING -j POSTROUTING_direct
+-A PREROUTING_ZONES -i sosnet -g PRE_docker
+-A PREROUTING_ZONES -i bond0 -g PRE_public
+-A PREROUTING_ZONES -i eth1 -g PRE_public
+-A PREROUTING_ZONES -i eth0 -g PRE_public
+-A PREROUTING_ZONES -g PRE_public
+-A PRE_docker -j PRE_docker_log
+-A PRE_docker -j PRE_docker_deny
+-A PRE_docker -j PRE_docker_allow
+-A PRE_public -j PRE_public_log
+-A PRE_public -j PRE_public_deny
+-A PRE_public -j PRE_public_allow
+COMMIT
+
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+-A INPUT -j INPUT_direct
+-A FORWARD -j FORWARD_direct
+-A OUTPUT -j OUTPUT_direct
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:OUTPUT_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_docker - [0:0]
+:PRE_docker_allow - [0:0]
+:PRE_docker_deny - [0:0]
+:PRE_docker_log - [0:0]
+:PRE_public - [0:0]
+:PRE_public_allow - [0:0]
+:PRE_public_deny - [0:0]
+:PRE_public_log - [0:0]
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A OUTPUT -j OUTPUT_direct
+-A PREROUTING_ZONES -i sosnet -g PRE_docker
+-A PREROUTING_ZONES -i bond0 -g PRE_public
+-A PREROUTING_ZONES -i eth1 -g PRE_public
+-A PREROUTING_ZONES -i eth0 -g PRE_public
+-A PREROUTING_ZONES -g PRE_public
+-A PRE_docker -j PRE_docker_log
+-A PRE_docker -j PRE_docker_deny
+-A PRE_docker -j PRE_docker_allow
+-A PRE_public -j PRE_public_log
+-A PRE_public -j PRE_public_deny
+-A PRE_public -j PRE_public_allow
+COMMIT
+
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+:DOCKER-USER - [0:0]
+:FORWARD_IN_ZONES - [0:0]
+:FORWARD_IN_ZONES_SOURCE - [0:0]
+:FORWARD_OUT_ZONES - [0:0]
+:FORWARD_OUT_ZONES_SOURCE - [0:0]
+:FORWARD_direct - [0:0]
+:FWDI_docker - [0:0]
+:FWDI_docker_allow - [0:0]
+:FWDI_docker_deny - [0:0]
+:FWDI_docker_log - [0:0]
+:FWDI_public - [0:0]
+:FWDI_public_allow - [0:0]
+:FWDI_public_deny - [0:0]
+:FWDI_public_log - [0:0]
+:FWDO_docker - [0:0]
+:FWDO_docker_allow - [0:0]
+:FWDO_docker_deny - [0:0]
+:FWDO_docker_log - [0:0]
+:FWDO_public - [0:0]
+:FWDO_public_allow - [0:0]
+:FWDO_public_deny - [0:0]
+:FWDO_public_log - [0:0]
+:INPUT_ZONES - [0:0]
+:INPUT_ZONES_SOURCE - [0:0]
+:INPUT_direct - [0:0]
+:IN_docker - [0:0]
+:IN_docker_allow - [0:0]
+:IN_docker_deny - [0:0]
+:IN_docker_log - [0:0]
+:IN_public - [0:0]
+:IN_public_allow - [0:0]
+:IN_public_deny - [0:0]
+:IN_public_log - [0:0]
+:LOGGING - [0:0]
+:OUTPUT_direct - [0:0]
+
+{%- set count = namespace(value=0) %}
+{%- for chain, hg in assigned_hostgroups.chain.items() %}
+  {%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
+    {%- for action in ['insert', 'delete' ] %}
+      {%- if hostgroups[hostgroup].ips[action] %}
+        {%- for ip in hostgroups[hostgroup].ips[action] %}
+          {%- for portgroup in portgroups.portgroups %}
+            {%- for proto, ports in portgroup.items() %}
+              {%- for port in ports %}
+                {%- set count.value = count.value + 1 %}
+-A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
+              {%- endfor %}
+            {%- endfor %}
+          {%- endfor %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endfor %}
+{%- endfor %}
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j INPUT_direct
+-A INPUT -j INPUT_ZONES_SOURCE
+-A INPUT -j INPUT_ZONES
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -j LOGGING
+-A FORWARD -j DOCKER-USER
+-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A FORWARD -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o sosnet -j DOCKER
+-A FORWARD -i sosnet ! -o sosnet -j ACCEPT
+-A FORWARD -i sosnet -o sosnet -j ACCEPT
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+-A FORWARD -j FORWARD_direct
+-A FORWARD -j FORWARD_IN_ZONES_SOURCE
+-A FORWARD -j FORWARD_IN_ZONES
+-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
+-A FORWARD -j FORWARD_OUT_ZONES
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j OUTPUT_direct
+-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
+-A DOCKER-ISOLATION-STAGE-1 -i sosnet ! -o sosnet -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -j RETURN
+-A DOCKER-ISOLATION-STAGE-2 -o sosnet -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -j RETURN
+-A DOCKER-USER ! -i sosnet -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-USER ! -i sosnet -o sosnet -j LOGGING
+-A DOCKER-USER -j RETURN
+-A FORWARD_IN_ZONES -i sosnet -g FWDI_docker
+-A FORWARD_IN_ZONES -i bond0 -g FWDI_public
+-A FORWARD_IN_ZONES -i eth1 -g FWDI_public
+-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
+-A FORWARD_IN_ZONES -g FWDI_public
+-A FORWARD_OUT_ZONES -o sosnet -g FWDO_docker
+-A FORWARD_OUT_ZONES -o bond0 -g FWDO_public
+-A FORWARD_OUT_ZONES -o eth1 -g FWDO_public
+-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
+-A FORWARD_OUT_ZONES -g FWDO_public
+-A FWDI_docker -j FWDI_docker_log
+-A FWDI_docker -j FWDI_docker_deny
+-A FWDI_docker -j FWDI_docker_allow
+-A FWDI_docker -j ACCEPT
+-A FWDI_public -j FWDI_public_log
+-A FWDI_public -j FWDI_public_deny
+-A FWDI_public -j FWDI_public_allow
+-A FWDI_public -p icmp -j ACCEPT
+-A FWDO_docker -j FWDO_docker_log
+-A FWDO_docker -j FWDO_docker_deny
+-A FWDO_docker -j FWDO_docker_allow
+-A FWDO_docker -j ACCEPT
+-A FWDO_public -j FWDO_public_log
+-A FWDO_public -j FWDO_public_deny
+-A FWDO_public -j FWDO_public_allow
+-A INPUT_ZONES -i sosnet -g IN_docker
+-A INPUT_ZONES -i bond0 -g IN_public
+-A INPUT_ZONES -i eth1 -g IN_public
+-A INPUT_ZONES -i eth0 -g IN_public
+-A INPUT_ZONES -g IN_public
+-A IN_docker -j IN_docker_log
+-A IN_docker -j IN_docker_deny
+-A IN_docker -j IN_docker_allow
+-A IN_docker -j ACCEPT
+-A IN_public -j IN_public_log
+-A IN_public -j IN_public_deny
+-A IN_public -j IN_public_allow
+-A IN_public -p icmp -j ACCEPT
+-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
+-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
+-A LOGGING -j DROP
+COMMIT