diff --git a/modules/iptables/manifests/init.pp b/modules/iptables/manifests/init.pp
index f9527fc155..5cbc19dc5a 100644
--- a/modules/iptables/manifests/init.pp
+++ b/modules/iptables/manifests/init.pp
@@ -23,28 +23,37 @@ class iptables($rules='', $public_tcp_ports=[], $public_udp_ports=[]) {
   }
 
   file { '/etc/iptables':
-      ensure => directory,
+    ensure => directory,
   }
 
   file { '/etc/iptables/rules':
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0640',
-      content => template('iptables/rules.erb'),
-      require => [Package['iptables-persistent'], File['/etc/iptables']],
-
-      # When this file is updated, make sure the rules get reloaded.
-      notify  => Service['iptables-persistent'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    content => template('iptables/rules.erb'),
+    require => [Package['iptables-persistent'], File['/etc/iptables']],
+    # When this file is updated, make sure the rules get reloaded.
+    notify  => Service['iptables-persistent'],
   }
 
   file { '/etc/iptables/rules.v4':
-      ensure  => link,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0640',
-      target  => '/etc/iptables/rules',
-      require => File['/etc/iptables/rules'],
-      notify  => Service['iptables-persistent'],
+    ensure  => link,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    target  => '/etc/iptables/rules',
+    require => File['/etc/iptables/rules'],
+    notify  => Service['iptables-persistent'],
   }
 
+  file { '/etc/iptables/rules.v6':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    content => template('iptables/rules.v6.erb'),
+    require => [Package['iptables-persistent'], File['/etc/iptables']],
+    # When this file is updated, make sure the rules get reloaded.
+    notify  => Service['iptables-persistent'],
+    replace => true,
+  }
 }
diff --git a/modules/iptables/templates/rules.v6.erb b/modules/iptables/templates/rules.v6.erb
new file mode 100644
index 0000000000..0ccba96e63
--- /dev/null
+++ b/modules/iptables/templates/rules.v6.erb
@@ -0,0 +1,24 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A FORWARD -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmpv6 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+<% public_tcp_ports.each do |port| -%>
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Public UDP ports
+<% public_udp_ports.each do |port| -%>
+-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Per-host rules
+<%= rules %>
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT