diff --git a/defaults/main.yml b/defaults/main.yml
index fffaae3..89c6849 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,6 +13,7 @@ postgres_log_filename: postgresql.log
 postgres_log_rotation_age: 1d
 postgres_log_rotation_size: 0
 
+postgres_iptables_enabled: False
 postgres_connection_port: 5432
 postgres_connection_addresses:
   - localhost
diff --git a/tasks/config.yml b/tasks/config.yml
index 78a2172..0fd748a 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -1,27 +1,34 @@
 ---
 - block:
-  - name: Setup global config file
-    template:
-      src: postgresql/data/postgresql.conf.j2
-      dest: "{{ __postgres_config_path }}/postgresql.conf"
-      mode: 0600
-    notify: __postgres_restart
+    - name: Setup global config file
+      template:
+        src: postgresql/data/postgresql.conf.j2
+        dest: "{{ __postgres_config_path }}/postgresql.conf"
+        mode: 0600
+      notify: __postgres_restart
 
-  - name: Create local users for pam auth
-    user:
-      name: "{{ item.name }}"
-      password: "{{ item.password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
-      state: "{{ item.state | default('present') }}"
-    with_items: "{{ postgres_users }}"
-    no_log: True
-    when: item.pam_user | default(False)
+    - name: Create local users for pam auth
+      user:
+        name: "{{ item.name }}"
+        password: "{{ item.password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
+        state: "{{ item.state | default('present') }}"
+      with_items: "{{ postgres_users }}"
+      no_log: True
+      when: item.pam_user | default(False)
 
-  - name: Setup client authentication
-    template:
-      src: postgresql/data/pg_hba.conf.j2
-      dest: "{{ __postgres_config_path }}/pg_hba.conf"
-      mode: 0600
-    notify: __postgres_restart
+    - name: Setup client authentication
+      template:
+        src: postgresql/data/pg_hba.conf.j2
+        dest: "{{ __postgres_config_path }}/pg_hba.conf"
+        mode: 0600
+      notify: __postgres_restart
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: allow_postgres_port
+        state: present
+        rules: '-A INPUT -m state --state NEW -p tcp --dport {{ postgres_connection_port }} -j ACCEPT'
+      when: postgres_iptables_enabled
   become: True
   become_user: root