diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
index d795106e22..a826cef3eb 100644
--- a/install_files/ansible-base/roles/app/handlers/main.yml
+++ b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -5,9 +5,6 @@
     name: tor
     state: restarted
 
-- name: reload iptables rules
-  shell: iptables-restore < /etc/network/iptables/rules_v4
-
 ## App/securedrop section
 - name: restart apache2
   service:
diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
index 2b06f4d6be..3215f70d5d 100644
--- a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
+++ b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -9,6 +9,7 @@ resolvconf_target_filepath: /etc/resolv.conf
 securedrop_common_packages:
   - apt-transport-https
   - aptitude
+  - iptables-persistent
   - unattended-upgrades
   - ntp
   - ntpdate
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
index 11c2fefbcd..05538598b8 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
@@ -27,6 +27,8 @@
     dest: /etc/network/if-up.d/load_iptables
     owner: root
     mode: "0744"
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Create iptables directory.
   file:
@@ -35,6 +37,8 @@
     owner: root
     group: root
     dest: /etc/network/iptables
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Determine local platform specific routing info
   set_fact:
@@ -59,7 +63,7 @@
 - name: Copy IPv4 iptables rules.
   template:
     src: rules_v4
-    dest: /etc/network/iptables/rules_v4
+    dest: "{{ iptables_v4_path }}"
     owner: root
     mode: "0644"
   notify: drop flag for reboot
@@ -67,6 +71,6 @@
 - name: Copy IPv6 iptables rules.
   copy:
     src: iptables_rules_v6
-    dest: /etc/network/iptables/rules_v6
+    dest: "{{ iptables_v6_path }}"
     owner: root
     mode: "0644"
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
index 2be2d68ca2..af075ecbbf 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+
 - include: fetch_tor_config.yml
   when: fetch_tor_client_auth_configs
 
diff --git a/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml
new file mode 100644
index 0000000000..ba77192b76
--- /dev/null
+++ b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml
@@ -0,0 +1,3 @@
+---
+iptables_v4_path: /etc/iptables/rules.v4
+iptables_v6_path: /etc/iptables/rules.v6
diff --git a/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml
new file mode 100644
index 0000000000..e368bc45a5
--- /dev/null
+++ b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml
@@ -0,0 +1,3 @@
+---
+iptables_v4_path: /etc/network/iptables/rules_v4
+iptables_v6_path: /etc/network/iptables/rules_v6
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
index 1920b9004c..519d1afeb2 100644
--- a/molecule/testinfra/common/test_system_hardening.py
+++ b/molecule/testinfra/common/test_system_hardening.py
@@ -154,3 +154,14 @@ def test_no_ecrypt_messages_in_logs(host, logfile):
 def test_unused_packages_are_removed(host, package):
     """ Check if unused package is present """
     assert host.package(package).is_installed is False
+
+
+def test_iptables_packages(host):
+    """
+    Focal hosts should use iptables-persistent for enforcing
+    firewall config across reboots.
+    """
+    if host.system_info.codename == "focal":
+        assert host.package("iptables-persistent").is_installed
+    else:
+        assert not host.package("iptables-persistent").is_installed