diff --git a/salt/upstream/dhcp.sls b/salt/upstream/dhcp.sls
index 7ded319..b0b9238 100644
--- a/salt/upstream/dhcp.sls
+++ b/salt/upstream/dhcp.sls
@@ -17,3 +17,13 @@ iptables:
     - mode: 744
     - require:
         - pkg: iptables
+
+/etc/network/if-pre-up.d/iptables:
+  file.managed:
+    - source: salt://upstream/iptables
+    - template: 'jinja'
+    - context:
+        upstream_iface: {{ dhcp_iface }}
+    - mode: 744
+    - require:
+        - pkg: iptables
diff --git a/salt/upstream/iptables b/salt/upstream/iptables
new file mode 100644
index 000000000..782fc4d
--- /dev/null
+++ b/salt/upstream/iptables
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$IFACE" = "{{ upstream_iface }}" ]; then
+   iptables -A INPUT -i "$IFACE" -j DROP
+   iptables -P INPUT ACCEPT
+fi