diff --git a/handlers/main.yml b/handlers/main.yml
index 56b8ceccb5e9315268d1e18674066d3c1eef9b3d..44b8a3c0342917de3647cf0bdf564848ffeed878 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,3 +14,40 @@
     name: "{{ item }}.service"
     state: restarted
   loop: "{{ vault_service_files.keys() | list }}"
+
+- name: save iptables rules (Debian)
+  block:
+    - name: Ordner für iptables-Config erstellen
+      ansible.builtin.file:
+        path: "/etc/iptables"
+        state: directory
+        owner: "root"
+        group: "root"
+        mode: "0755"
+      listen: "save iptables rules"
+    - name: install netfilter-persistent to be able to save iptables rules
+      ansible.builtin.apt:
+        name: netfilter-persistent
+        state: present
+      listen: "save iptables rules"
+    # we exclude this task from being linted for "no-changed-when", because handlers only ever run if there's a change triggered by a task
+    - name: save iptables rules
+      ansible.builtin.command: 'netfilter-persistent save'      # noqa no-changed-when
+      listen: "save iptables rules"
+  when: ansible_os_family == "Debian"
+
+- name: save iptables rules (RedHat)
+  block:
+    - name: make sure iptables config file exists
+      ansible.builtin.file:
+        path: "/etc/sysconfig/iptables"
+        state: touch
+        owner: "root"
+        group: "root"
+        mode: "0600"
+      listen: "save iptables rules"
+    # we exclude this task from being linted for "no-changed-when", because handlers only ever run if there's a change triggered by a task
+    - name: save rules
+      ansible.builtin.command: /usr/sbin/iptables-save        # noqa no-changed-when
+      listen: "save iptables rules"
+  when: ansible_os_family == "RedHat"
diff --git a/tasks/main.yml b/tasks/main.yml
index 54e5df7048ef270e4abe971a7377563622e87d61..de0d353f72edd4039ff8b87876485aec6699a9f7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,6 +2,7 @@
 - name: include Ansible Vaults
   ansible.builtin.include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
   loop:
+    - "iptables.vault"
     - "nfs_mounts.vault"
     - "repos.vault"
     - "users_groups.vault"
@@ -41,3 +42,7 @@
 - name: install SystemD-Services
   ansible.builtin.import_tasks: "configure-systemd-services.yml"
   tags: [systemd]
+
+- name: configure iptables Firewall
+  ansible.builtin.import_tasks: "configure_iptables_externalusers.yml"
+  tags: [iptables, firewall]