diff --git a/Rakefile b/Rakefile
index 0a6b7c0..b0c6f7e 100644
--- a/Rakefile
+++ b/Rakefile
@@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local')
 ssh_config_file = "config/#{$SPB_ENV}/ssh_config"
 ips_file = "config/#{$SPB_ENV}/ips.yaml"
 config_file = "config/#{$SPB_ENV}/config.yaml"
+iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules"
 
 ENV['CHAKE_SSH_CONFIG'] = ssh_config_file
 
@@ -20,9 +21,11 @@ end
 
 config = YAML.load_file(config_file)
 ips = YAML.load_file(ips_file)
+firewall = File.open(iptables_file).read
 $nodes.each do |node|
   node.data['config'] = config
   node.data['peers'] = ips
+  node.data['firewall'] = firewall
 end
 
 task :console do
diff --git a/config/development/iptables-filter-rules b/config/development/iptables-filter-rules
new file mode 100644
index 0000000..aec3948
--- /dev/null
+++ b/config/development/iptables-filter-rules
@@ -0,0 +1,29 @@
+
+-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
+-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
+-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+
+
+# UnB
+-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
+-A INPUT -s 164.41.9.36/32  -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+
+
+# Sergio Oliveira
+-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+
+
+# Antonio Terceiro
+-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
+
+
+-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
+-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
+-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
+-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
diff --git a/config/local/iptables-filter-rules b/config/local/iptables-filter-rules
new file mode 100644
index 0000000..e97b4e4
--- /dev/null
+++ b/config/local/iptables-filter-rules
@@ -0,0 +1,2 @@
+
+# No environment rules
diff --git a/config/production/iptables-filter-rules b/config/production/iptables-filter-rules
new file mode 100644
index 0000000..e97b4e4
--- /dev/null
+++ b/config/production/iptables-filter-rules
@@ -0,0 +1,2 @@
+
+# No environment rules
diff --git a/cookbooks/firewall/recipes/default.rb b/cookbooks/firewall/recipes/default.rb
new file mode 100644
index 0000000..48da3e7
--- /dev/null
+++ b/cookbooks/firewall/recipes/default.rb
@@ -0,0 +1,14 @@
+
+package 'iptables-services'
+
+service 'iptables' do
+  action [:enable, :start]
+  supports :restart => true
+end
+
+template '/etc/sysconfig/iptables' do
+  owner 'root'
+  group 'root'
+  mode  0644
+  notifies :restart, 'service[iptables]'
+end
diff --git a/cookbooks/firewall/templates/default/development.erb b/cookbooks/firewall/templates/default/development.erb
deleted file mode 100644
index defa4ba..0000000
--- a/cookbooks/firewall/templates/default/development.erb
+++ /dev/null
@@ -1,35 +0,0 @@
-
-<% content_for :iptables_filter do %>
-
--A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
--A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
--A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
--A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
--A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-
--A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
-
-
-# UnB
--A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
--A INPUT -s 164.41.9.36/32  -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
-
-
-# Sergio Oliveira
--A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
--A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
-
-
-#i Antonio Terceiro
--A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
--A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
-
-
--A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
--A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
--A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
--A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
-
-<% end %>
-
-<%= render 'firewall-common.erb' %>
diff --git a/cookbooks/firewall/templates/default/firewall-common.erb b/cookbooks/firewall/templates/default/firewall-common.erb
deleted file mode 100644
index f422758..0000000
--- a/cookbooks/firewall/templates/default/firewall-common.erb
+++ /dev/null
@@ -1,37 +0,0 @@
-
-### FILTER RULES ###
-
-*filter
-
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
--A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
--A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
--A INPUT -p icmp --icmp-type 4 -j ACCEPT
--A INPUT -p icmp --icmp-type 11 -j ACCEPT
--A INPUT -p icmp --icmp-type 12 -j ACCEPT
-
--A INPUT -i lo -j ACCEPT
-
-<%= yield :iptables_filter %>
-
--A INPUT -j LOG --log-prefix "Firewall INPUT: "
--A INPUT -j DROP
--A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
--A FORWARD -j DROP
-
-COMMIT
-
-
-### NAT Rules ###
-
-*nat
-
-<%= yield :iptables_nat %>
-
-COMMIT
diff --git a/cookbooks/firewall/templates/default/iptables-filter.erb b/cookbooks/firewall/templates/default/iptables-filter.erb
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/cookbooks/firewall/templates/default/iptables-filter.erb
diff --git a/cookbooks/firewall/templates/default/iptables-nat.erb b/cookbooks/firewall/templates/default/iptables-nat.erb
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/cookbooks/firewall/templates/default/iptables-nat.erb
diff --git a/cookbooks/firewall/templates/default/iptables.erb b/cookbooks/firewall/templates/default/iptables.erb
new file mode 100644
index 0000000..b829e0c
--- /dev/null
+++ b/cookbooks/firewall/templates/default/iptables.erb
@@ -0,0 +1,34 @@
+
+### FILTER RULES ###
+
+*filter
+
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
+-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
+-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
+-A INPUT -p icmp --icmp-type 4 -j ACCEPT
+-A INPUT -p icmp --icmp-type 11 -j ACCEPT
+-A INPUT -p icmp --icmp-type 12 -j ACCEPT
+
+-A INPUT -i lo -j ACCEPT
+
+<%= node['firewall'] %>
+<%= render 'iptables-filter.erb' %>
+
+-A INPUT -j LOG --log-prefix "Firewall INPUT: "
+-A INPUT -j DROP
+-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
+-A FORWARD -j DROP
+
+COMMIT
+
+
+*nat
+<%= render 'iptables-nat.erb' %>
+COMMIT
diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
new file mode 100644
index 0000000..209abce
--- /dev/null
+++ b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
@@ -0,0 +1,9 @@
+
+# HTTP Ports
+-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
+
+# Port redirect to gitlab host (integration)
+-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+
+# Real SSH connection
+-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT
diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb
new file mode 100644
index 0000000..f0c32fa
--- /dev/null
+++ b/cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb
@@ -0,0 +1,6 @@
+
+# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH)
+
+-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
+
+-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables.erb
deleted file mode 100644
index 6f1ab55..0000000
--- a/cookbooks/firewall/templates/host-reverseproxy/iptables.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-
-<% content_for :iptables_nat do %>
-
-# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
--A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
--A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
-
-<% end %>
-
-<%= render 'development.erb' %>
--
libgit2 0.21.2