diff --git a/playbooks/roles/iptables/templates/rules.v4.j2 b/playbooks/roles/iptables/templates/rules.v4.j2
index ec2f8db503..ce845904ff 100644
--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@@ -1,6 +1,6 @@
 *filter
 :INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
 -A INPUT -j openstack-INPUT
diff --git a/playbooks/roles/iptables/templates/rules.v6.j2 b/playbooks/roles/iptables/templates/rules.v6.j2
index c7549bb4fc..da5d369402 100644
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@@ -1,6 +1,6 @@
 *filter
 :INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
 -A INPUT -j openstack-INPUT
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
index 08449e270d..05032aa427 100644
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@@ -64,7 +64,7 @@ def test_iptables(host):
 
     start = [
         '-P INPUT ACCEPT',
-        '-P FORWARD ACCEPT',
+        '-P FORWARD DROP',
         '-P OUTPUT ACCEPT',
         '-N openstack-INPUT',
         '-A INPUT -j openstack-INPUT',