diff --git a/tasks/nat.yml b/tasks/nat.yml
index fc9a141..d9dff74 100644
--- a/tasks/nat.yml
+++ b/tasks/nat.yml
@@ -22,50 +22,16 @@
       net.ipv6.conf.all.disable_ipv6: 1
       net.ipv6.conf.default.disable_ipv6: 1
 
-# FIXME idempotence test fails obviously cause of these rules.
-# FIXME flush or not to flush?
-- name: Flush input rules
-  iptables:
-    chain: INPUT
-    flush: yes
-  notify: persist iptables
+- name: Upload firewall rules
+  template:
+    src: iptables-rules.j2
+    dest: /tmp/iptables-rules
+    mode: '0444'
 
-- name: Flush forward rules
-  iptables:
-    chain: FORWARD
-    flush: yes
-  notify: persist iptables
-
-- name: Flush nat rules
-  iptables:
-    table: nat
-    chain: POSTROUTING
-    flush: yes
-  notify: persist iptables
-
-- name: Adds forward rules
-  iptables:
-    action: append
-    chain: FORWARD
-    source: "{{ item }}"
-    jump: ACCEPT
-  notify: persist iptables
-  loop: "{{ vpn_gateway_configs[0].local.networks }} + {{ vpn_gateway_configs[0].remote.networks }}"
-
-- name: Reject the rest
-  iptables:
-    action: append
-    chain: FORWARD
-    jump: REJECT
-  notify: persist iptables
-
-- name: Add NAT rules
-  iptables:
-    table: nat
-    action: append
-    chain: POSTROUTING
-    source: "{{ item }}"
-    #out_interface: "{{ wan_interface }}"
-    jump: MASQUERADE
-  notify: persist iptables
-  loop: "{{ vpn_gateway_configs[0].local.networks }} + {{ vpn_gateway_configs[0].remote.networks }}"
+- name: Load firewall rules
+  shell: |
+    set -o pipefail
+    cat /tmp/iptables-rules | iptables-restore
+  args:
+    executable: /bin/bash
+  changed_when: False
diff --git a/templates/iptables-rules.j2 b/templates/iptables-rules.j2
new file mode 100644
index 0000000..05afdbf
--- /dev/null
+++ b/templates/iptables-rules.j2
@@ -0,0 +1,28 @@
+# Generated by iptables-save v1.6.1 on Tue Mar 24 10:02:12 2020
+*nat
+:PREROUTING ACCEPT [4:160]
+:INPUT ACCEPT [4:160]
+:OUTPUT ACCEPT [1:76]
+:POSTROUTING ACCEPT [1:76]
+{% for network in vpn_gateway_configs[0].local.networks %}
+-A POSTROUTING -s "{{ network }}" -j MASQUERADE
+{% endfor %}
+{% for network in vpn_gateway_configs[0].remote.networks %}
+-A POSTROUTING -s "{{ network }}" -j MASQUERADE
+{% endfor %}
+COMMIT
+# Completed on Tue Mar 24 10:02:12 2020
+# Generated by iptables-save v1.6.1 on Tue Mar 24 10:02:12 2020
+*filter
+:INPUT ACCEPT [106:6884]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [83:14956]
+{% for network in vpn_gateway_configs[0].local.networks %}
+-A FORWARD -s "{{ network }}" -j ACCEPT
+{% endfor %}
+{% for network in vpn_gateway_configs[0].remote.networks %}
+-A FORWARD -s "{{ network }}" -j ACCEPT
+{% endfor %}
+-A FORWARD -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+# Completed on Tue Mar 24 10:02:12 2020