diff --git a/.ansible-lint b/.ansible-lint
index 45c4c5d..5607cbe 100755
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -5,3 +5,4 @@ mock_modules:
   - community.postgresql.postgresql_user
   - community.postgresql.postgresql_owner
   - community.docker.docker_image
+  - community.general.iptables_state
diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml
new file mode 100644
index 0000000..ed72722
--- /dev/null
+++ b/roles/firewall/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+firewall_open_tcp: []
+firewall_open_udp: []
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
new file mode 100644
index 0000000..7ad16a4
--- /dev/null
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# How it works?
+# OUTPUT: allowed everywhere
+# INPUT: blocked all except 22 and specific ports
+
+- name: Uninstall unsupported firewalls
+  ansible.builtin.apt:
+    pkg:
+      - ufw
+      - firewalld
+    state: absent
+
+- name: Install iptables
+  ansible.builtin.apt:
+    pkg:
+      - iptables
+      - iptables-persistent
+    state: present
+
+- name: Template restore file
+  ansible.builtin.template:
+    src: "etc/iptables-restore.apply"
+    dest: "/etc/iptables-restore.apply"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: iptables_restore_file
+
+- name: Restore firewall state from a file
+  community.general.iptables_state:
+    state: restored
+    path: /etc/iptables-restore.apply
+    noflush: false
+  async: "{{ ansible_timeout }}"
+  poll: 0
+  when: iptables_restore_file.changed # noqa: no-handler
diff --git a/roles/firewall/templates/etc/iptables-restore.apply b/roles/firewall/templates/etc/iptables-restore.apply
new file mode 100644
index 0000000..b98fe0f
--- /dev/null
+++ b/roles/firewall/templates/etc/iptables-restore.apply
@@ -0,0 +1,21 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:VEGATCP - [0:0]
+:VEGAUDP - [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j VEGATCP
+-A INPUT -p tcp -j VEGAUDP
+
+{% for port in firewall_open_tcp %}
+-A VEGATCP -p tcp -m tcp --dport {{ port|int }} -j ACCEPT
+{% endfor %}
+
+{% for port in firewall_open_udp %}
+-A VEGAUDP -p udp -m udp --dport {{ port|int }} -j ACCEPT
+{% endfor %}
+COMMIT
diff --git a/roles/vega_core/tasks/restart_network.yaml b/roles/vega_core/tasks/restart-network.yaml
similarity index 100%
rename from roles/vega_core/tasks/restart_network.yaml
rename to roles/vega_core/tasks/restart-network.yaml