diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
index d795106e22..aadc67ab01 100644
--- a/install_files/ansible-base/roles/app/handlers/main.yml
+++ b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -5,8 +5,15 @@
     name: tor
     state: restarted
 
-- name: reload iptables rules
+- name: reload iptables rules for xenial
   shell: iptables-restore < /etc/network/iptables/rules_v4
+  when:
+    - ansible_distribution_release == 'xenial'
+
+- name: reload iptables rules for focal
+  shell: iptables-restore < /etc/iptables/rules.v4
+  when:
+    - ansible_distribution_release == 'focal'
 
 ## App/securedrop section
 - name: restart apache2
diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
index 2b06f4d6be..3215f70d5d 100644
--- a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
+++ b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -9,6 +9,7 @@ resolvconf_target_filepath: /etc/resolv.conf
 securedrop_common_packages:
   - apt-transport-https
   - aptitude
+  - iptables-persistent
   - unattended-upgrades
   - ntp
   - ntpdate
diff --git a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables
index 1fcd2047fc..48c8e1e23b 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables
+++ b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables
@@ -2,6 +2,8 @@
 # Description: apply the securedrop iptable rules
 if [ -f /etc/network/iptables/rules_v4 ]; then
   iptables-restore < /etc/network/iptables/rules_v4
+elif [ -f /etc/iptables/rules.v4 ]; then
+  iptables-restore < /etc/iptables/rules.v4
 else
   echo "Iptables rules file does not exist"
   exit 1
@@ -9,6 +11,8 @@ fi
 
 if [ -f /etc/network/iptables/rules_v6 ]; then
   ip6tables-restore < /etc/network/iptables/rules_v6
+elif [ -f /etc/iptables/rules.v6 ]; then
+  ip6tables-restore < /etc/iptables/rules.v6
 else
   echo "Ip6tables rules file does not exist"
   exit 1
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
index 11c2fefbcd..d03fcb9014 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
@@ -35,6 +35,8 @@
     owner: root
     group: root
     dest: /etc/network/iptables
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Determine local platform specific routing info
   set_fact:
@@ -59,7 +61,7 @@
 - name: Copy IPv4 iptables rules.
   template:
     src: rules_v4
-    dest: /etc/network/iptables/rules_v4
+    dest: "{{ '/etc/iptables/rules.v4' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v4' }}"
     owner: root
     mode: "0644"
   notify: drop flag for reboot
@@ -67,6 +69,6 @@
 - name: Copy IPv6 iptables rules.
   copy:
     src: iptables_rules_v6
-    dest: /etc/network/iptables/rules_v6
+    dest: "{{ '/etc/iptables/rules.v6' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v6' }}"
     owner: root
     mode: "0644"