diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml
index 830ca1c..37a0c80 100644
--- a/roles/iptables/defaults/main.yml
+++ b/roles/iptables/defaults/main.yml
@@ -16,6 +16,8 @@ iptables_default_head: |
   -A INPUT -i lo -j ACCEPT
   -A INPUT -m state --state NEW -p tcp --dport 22 -s {{ trusted_ip | default(['0.0.0.0/0']) | join(',') }} -j ACCEPT
   -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+  -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+  -A FORWARD -m state --state INVALID -j DROP
 
 iptables_default_tail: |
   -A INPUT -j LOGDENY