diff --git a/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v4 b/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v4
new file mode 100644
index 0000000..0d2bb89
--- /dev/null
+++ b/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v4
@@ -0,0 +1,10 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type ping -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+COMMIT
diff --git a/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v6 b/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v6
new file mode 100644
index 0000000..f843db4
--- /dev/null
+++ b/ubuntu/roles/firewall-ruleset-deploy/files/gard.asininetech.net.rules.v6
@@ -0,0 +1,18 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+:icmp_in -
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport 5665 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
+-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
+COMMIT
diff --git a/ubuntu/roles/firewall-ruleset-deploy/tasks/main.yml b/ubuntu/roles/firewall-ruleset-deploy/tasks/main.yml
new file mode 100644
index 0000000..8768fd3
--- /dev/null
+++ b/ubuntu/roles/firewall-ruleset-deploy/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+# This role deploys firewall rulesets to Ubuntu hosts
+
+- name: Make sure iptables and netfilter-persistent are installed
+  apt:
+    name: "{{ packages }}"
+    state: latest
+  vars:
+    packages:
+    - iptables-persistent
+    - netfilter-persistent
+
+- name: Copy IPv4 ruleset
+  copy:
+    src: {{ ansible_fqdn }}.rules.v4
+    dest: /etc/iptables/rules.v4
+    backup: yes
+
+- name: Copy IPv6 ruleset
+  copy:
+    src: {{ ansible_fqdn }}.rules.v6
+    dest: /etc/iptables/rules.v6
+    backup: yes
+
+- name: Restart netfilter-persistent service to load rulesets
+  service:
+    name: netfilter-persistent
+    state: restarted
+    enabled: yes