diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index 22c90c7..b6360ec 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -344,14 +344,21 @@
 -A OUTPUT -p vrrp -j ACCEPT
 {% endif %}
 #
+# INPUT POLICY
 {% if iptables_input_default_policy == 'REJECT' %}
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 {% else %}
 -A INPUT -j {{ iptables_input_default_policy }}
 {% endif %}
-{% if iptables_nat_enabled or iptables_post_nat_enabled %}
--A FORWARD -j ACCEPT
-{% elif iptables_forward_default_policy == 'REJECT' %}
+#
+# FORWARD rules and POLICY
+{% if iptables_post_nat_enabled %}
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+{% for rule in iptables_nat_rules %}
+-A FORWARD {{ rule.options }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% if iptables_forward_default_policy == 'REJECT' %}
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 {% else %}
 -A FORWARD -j {{ iptables_forward_default_policy }}