diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml
index 861006c..08cffda 100644
--- a/library/bootstrap-roles/centos-common/meta/main.yml
+++ b/library/bootstrap-roles/centos-common/meta/main.yml
@@ -11,3 +11,7 @@ dependencies:
   - { role: '../../library/roles/cloud-init', when:  ansible_product_name == "oVirt Node" }
   - { role: '../../library/roles/letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
   - { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled }
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+    version: master
+    name: zabbix-agent
+    when: zabbix_agent_install | bool
diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
index a99ad2c..b980565 100644
--- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
+++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
@@ -10,4 +10,8 @@ dependencies:
   - { role: '../library/roles/letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
   - { role: '../../library/roles/nagios', when: nagios_enabled is defined and nagios_enabled }
   - { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+    version: master
+    name: zabbix-agent
+    when: zabbix_agent_install | bool
 
diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index fff1fb2..dfcc792 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -175,6 +175,16 @@
 {% endif %}
 {% endif %}
 {% endif %}
+{% if zabbix_agent_install is defined and zabbix_agent_install %}
+{% if zabbix_agent_passive_checks_status == "enabled" %}
+# Zabbix servers that can send passive checks
+{% for ip in zabbix_monitoring_servers %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
+{% endfor %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
+{% endif %}
+{% endif %}
+
 {% if configure_munin is defined %}
 {% if configure_munin %}
 {% if munin_server %}