diff --git a/modules.env b/modules.env
index 1599ed2ca8..f936284d6d 100644
--- a/modules.env
+++ b/modules.env
@@ -60,6 +60,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-asterisk"]
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elasticsearch"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-gerrit"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-storyboard"]="origin/master"
+INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-iptables"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-zuul"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kibana"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-lodgeit"]="origin/master"
diff --git a/modules/iptables/manifests/init.pp b/modules/iptables/manifests/init.pp
deleted file mode 100644
index b6448a6ca4..0000000000
--- a/modules/iptables/manifests/init.pp
+++ /dev/null
@@ -1,89 +0,0 @@
-# Class: iptables
-#
-# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
-#
-# params:
-# rules4: A list of additional iptables v4 rules
-# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
-# rules6: A list of additional iptables v6 rules
-# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
-# public_tcp_ports: List of integer TCP ports on which to allow all traffic
-# public_udp_ports: List of integer UDP ports on which to allow all traffic
-class iptables(
- $rules4 = [],
- $rules6 = [],
- $public_tcp_ports = [],
- $public_udp_ports = []
-) {
-
- include iptables::params
-
- package { 'iptables':
- ensure => present,
- name => $::iptables::params::package_name,
- }
-
- if ($::in_chroot) {
- notify { 'iptables in chroot':
- message => 'Iptables not refreshed, running in chroot',
- }
- $notify_iptables = []
- }
- else {
- service { 'iptables':
- name => $::iptables::params::service_name,
- require => Package['iptables'],
- hasstatus => $::iptables::params::service_has_status,
- status => $::iptables::params::service_status_cmd,
- hasrestart => $::iptables::params::service_has_restart,
- enable => true,
- }
- $notify_iptables = Service['iptables']
- }
-
- file { $::iptables::params::rules_dir:
- ensure => directory,
- require => Package['iptables'],
- }
-
- # This file is not required on Red Hat distros... but it
- # won't hurt to softlink to it either
- file { "${::iptables::params::rules_dir}/rules":
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0640',
- content => template('iptables/rules.erb'),
- require => [
- Package['iptables'],
- File[$::iptables::params::rules_dir],
- ],
- # When this file is updated, make sure the rules get reloaded.
- notify => $notify_iptables,
- }
-
- file { $::iptables::params::ipv4_rules:
- ensure => link,
- owner => 'root',
- group => 'root',
- mode => '0640',
- target => "${::iptables::params::rules_dir}/rules",
- require => File["${::iptables::params::rules_dir}/rules"],
- notify => $notify_iptables,
- }
-
- file { $::iptables::params::ipv6_rules:
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0640',
- content => template('iptables/rules.v6.erb'),
- require => [
- Package['iptables'],
- File[$::iptables::params::rules_dir],
- ],
- # When this file is updated, make sure the rules get reloaded.
- notify => $notify_iptables,
- replace => true,
- }
-}
diff --git a/modules/iptables/manifests/params.pp b/modules/iptables/manifests/params.pp
deleted file mode 100644
index 6c9f308bc4..0000000000
--- a/modules/iptables/manifests/params.pp
+++ /dev/null
@@ -1,60 +0,0 @@
-# Class: iptables::params
-#
-# This class holds parameters that need to be
-# accessed by other classes.
-class iptables::params {
- case $::osfamily {
- 'RedHat': {
- case $::operatingsystem {
- 'Fedora': {
- $package_name = 'iptables-services'
- $service_has_restart = true
- }
- 'RedHat','CentOS','Scientific': {
- case $::operatingsystemrelease {
- /^7/: {
- $package_name = 'iptables-services'
- $service_has_restart = true
- }
- /^6/: {
- $package_name = 'iptables'
- $service_has_restart = false
- }
- default: {
- fail("Unsupported operatingsystemrelease: ${::operatingsystemrelease} The 'iptables' module recognize only 6, 7 as RedHat major versions.")
- }
- }
- }
- default: {
- fail("Unsupported operatingsystem: ${::operatingsystem} The 'iptables' module with RedHat osfamily.")
- }
- }
- $service_name = 'iptables'
- $rules_dir = '/etc/sysconfig'
- $ipv4_rules = '/etc/sysconfig/iptables'
- $ipv6_rules = '/etc/sysconfig/ip6tables'
- $service_has_status = true
- $service_status_cmd = undef
- }
- 'Debian': {
- $package_name = 'iptables-persistent'
- $service_name = 'iptables-persistent'
- $rules_dir = '/etc/iptables'
- $ipv4_rules = '/etc/iptables/rules.v4'
- $ipv6_rules = '/etc/iptables/rules.v6'
- # Because there is no running process for this service, the normal status
- # checks fail. Because puppet then thinks the service has been manually
- # stopped, it won't restart it. This fake status command will trick
- # puppet into thinking the service is *always* running (which in a way
- # it is, as iptables is part of the kernel.)
- $service_has_status = true
- $service_status_cmd = true
- # Under Debian, the "restart" parameter does not reload the rules, so
- # tell Puppet to fall back to stop/start, which does work.
- $service_has_restart = false
- }
- default: {
- fail("Unsupported osfamily: ${::osfamily} The 'iptables' module only supports osfamily Debian or RedHat (slaves only).")
- }
- }
-}
diff --git a/modules/iptables/templates/rules.erb b/modules/iptables/templates/rules.erb
deleted file mode 100644
index 23283ced5a..0000000000
--- a/modules/iptables/templates/rules.erb
+++ /dev/null
@@ -1,29 +0,0 @@
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:openstack-INPUT - [0:0]
--A INPUT -j openstack-INPUT
--A openstack-INPUT -i lo -j ACCEPT
--A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
-#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
--A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
--A openstack-INPUT -m udp -p udp --dport 161 -s 198.61.215.188 -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules4.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
-COMMIT
diff --git a/modules/iptables/templates/rules.v6.erb b/modules/iptables/templates/rules.v6.erb
deleted file mode 100644
index 8bbc6fe287..0000000000
--- a/modules/iptables/templates/rules.v6.erb
+++ /dev/null
@@ -1,27 +0,0 @@
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:openstack-INPUT - [0:0]
--A INPUT -j openstack-INPUT
--A openstack-INPUT -i lo -j ACCEPT
--A openstack-INPUT -p icmpv6 -j ACCEPT
--A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:780d:0509:3bc3:d7f6:ff04:49de -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules6.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
-COMMIT