diff --git a/Dockerfile b/Dockerfile
index e33fab058..96170c0fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ RUN yum install -y python-requests && \
     curl https://raw.githubusercontent.com/openstack/tripleo-repos/master/tripleo_repos/main.py | python - -b train current-tripleo && \
     yum update -y && \
     yum install -y python-gunicorn openstack-ironic-api openstack-ironic-conductor crudini \
-        iproute iptables dnsmasq httpd qemu-img-ev iscsi-initiator-utils parted gdisk psmisc \
+        iproute dnsmasq httpd qemu-img-ev iscsi-initiator-utils parted gdisk psmisc \
         sysvinit-tools mariadb-server genisoimage python-ironic-prometheus-exporter && \
     yum clean all && \
     rm -rf /var/cache/{yum,dnf}/*
diff --git a/rundnsmasq.sh b/rundnsmasq.sh
index 7a43a8cc9..d78126e30 100755
--- a/rundnsmasq.sh
+++ b/rundnsmasq.sh
@@ -27,13 +27,6 @@ for iface in $( echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" /etc/dnsmasq.conf
 done
 
-# Allow access to dhcp and tftp server for pxeboot
-for port in 67 69 ; do
-    if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p udp --dport "$port" -j ACCEPT 2>/dev/null ; then
-        iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p udp --dport "$port" -j ACCEPT
-    fi
-done
-
 /usr/sbin/dnsmasq -d -q -C /etc/dnsmasq.conf 2>&1 | tee /shared/log/dnsmasq/dnsmasq.log &
 /bin/runhealthcheck "dnsmasq" &>/dev/null &
 sleep infinity
diff --git a/runhttpd.sh b/runhttpd.sh
index 6c6867eca..a93171050 100755
--- a/runhttpd.sh
+++ b/runhttpd.sh
@@ -32,11 +32,6 @@ ln -s /shared/log/httpd/access_log /var/log/httpd/access_log
 touch /shared/log/httpd/error_log
 ln -s /shared/log/httpd/error_log /var/log/httpd/error_log
 
-# Allow external access
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp --dport "$HTTP_PORT" -j ACCEPT 2>/dev/null ; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp --dport "$HTTP_PORT" -j ACCEPT
-fi
-
 /usr/sbin/httpd &
 
 /bin/runhealthcheck "httpd" "$HTTP_PORT" &>/dev/null &
diff --git a/runironic-api.sh b/runironic-api.sh
index 790a4298e..4d8c703fe 100755
--- a/runironic-api.sh
+++ b/runironic-api.sh
@@ -2,10 +2,5 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to Ironic
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT
-fi
-
 exec /usr/bin/ironic-api --config-file /etc/ironic/ironic.conf \
     --log-file /shared/log/ironic/ironic-api.log
diff --git a/runironic-conductor.sh b/runironic-conductor.sh
index 5401b927f..96e2bd691 100755
--- a/runironic-conductor.sh
+++ b/runironic-conductor.sh
@@ -2,14 +2,6 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to mDNS
-if ! iptables -C INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT
-fi
-if ! iptables -C OUTPUT -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I OUTPUT -p udp --dport 5353 -j ACCEPT
-fi
-
 # Ramdisk logs
 mkdir -p /shared/log/ironic/deploy
 
diff --git a/runironic.sh b/runironic.sh
index 3a05226ef..b02e80e86 100755
--- a/runironic.sh
+++ b/runironic.sh
@@ -2,19 +2,6 @@
 
 . /bin/configure-ironic.sh
 
-# Allow access to Ironic
-if ! iptables -C INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i "$PROVISIONING_INTERFACE" -p tcp -m tcp --dport 6385 -j ACCEPT
-fi
-
-# Allow access to mDNS
-if ! iptables -C INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I INPUT -i $PROVISIONING_INTERFACE -p udp --dport 5353 -j ACCEPT
-fi
-if ! iptables -C OUTPUT -p udp --dport 5353 -j ACCEPT > /dev/null 2>&1; then
-    iptables -I OUTPUT -p udp --dport 5353 -j ACCEPT
-fi
-
 ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade
 
 # Remove log files from last deployment