diff --git a/roles/nat_server/tasks/main.yml b/roles/nat_server/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3d1ecc49ed17d0231ce62c0e9c2702f89b16d75d
--- /dev/null
+++ b/roles/nat_server/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# make sure firewalld is not installed
+- name: make sure firewalld is not installed
+  yum: name={{ item }} state=absent
+  become: true
+  become_user: root
+  with_items:
+  - firewalld
+  - firewall-config
+
+# make sure iptables is installed
+- name: make sure iptables-services is installed
+  yum: name=iptables-services state=present
+  become: true
+  become_user: root
+
+- name: make sure iptables service is running
+  service: name=iptables state=started enabled=yes
+  become: true
+  become_user: root
+
+    
+# template ip tables rules or add rules on startup?
+- name: template rules
+  template: dest=/etc/sysconfig/iptables src=iptables.j2
+  become: true
+  become_user: root
+  register: rule_changed
+
+- name: restore rules
+  shell: iptables-restore
+  become: true
+  become_user: root
+  when: rule_changed | changed
+
+# make sure ip forwarding is enabled
diff --git a/roles/nat_server/templates/iptables.j2 b/roles/nat_server/templates/iptables.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1decc94e170256b136a56b0dfc609b1fc89bc0fd
--- /dev/null
+++ b/roles/nat_server/templates/iptables.j2
@@ -0,0 +1,33 @@
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o eth2 -j MASQUERADE
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i mlx0 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016