diff --git a/salt/firewall/priv-stateful.sh b/salt/firewall/priv-stateful.sh
new file mode 100644
index 000000000..b818c41
--- /dev/null
+++ b/salt/firewall/priv-stateful.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+if [ echo "$IFACE" | grep priv >/dev/null ]; then
+    iptables -F FORWARD
+    ip6tables -F FORWARD
+    iptables -P FORWARD DROP
+    ip6tables -P FORWARD DROP
+    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    # loopback
+    iptables -A FORWARD -i lo -j ACCEPT
+    ip6tables -A FORWARD -i lo -j ACCEPT
+    # DHCP
+    iptables -A FORWARD -i $IFACE -p udp --dport 67 -j ACCEPT
+    # Deny by default
+    iptables -A FORWARD -j REJECT
+    ip6tables -A FORWARD -j REJECT
+fi
diff --git a/salt/firewall/priv-stateful.sls b/salt/firewall/priv-stateful.sls
new file mode 100644
index 000000000..6429299
--- /dev/null
+++ b/salt/firewall/priv-stateful.sls
@@ -0,0 +1,10 @@
+iptables:
+  pkg.installed: []
+
+/etc/network/if-pre-up.d/firewall:
+  file.managed:
+    - source: salt://firewall/priv-stateful.sh
+    - template: 'jinja'
+    - mode: 744
+    - require:
+        - pkg: iptables
diff --git a/salt/top.sls b/salt/top.sls
index 4edc570..284b679 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -12,6 +12,8 @@ base:
     - forwarding
     - bird
     - dhcp
+  'priv13-gw':
+    - firewall.priv-stateful
   'pub-gw or serv-gw':
     - no-ssh
     - forwarding