diff --git a/defaults/main.yml b/defaults/main.yml
index ec820a20..343845d8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -61,6 +61,9 @@ lxc_net_gateway: null  ## if null, no gateway will be on the LXC bridge. lxc_net
 # lxc container nat enabled
 lxc_net_nat: true  ## If "true", nat rules will be created with the lxc network.
 
+# Enable iptables for lxc network
+lxc_net_manage_iptables: true  ## If "true" iptables rules will be added when the bridge is up and deleted when bridge is down
+
 # lxc container dhcp settings
 lxc_net_dhcp_range: 10.0.3.2,10.0.3.253
 lxc_net_dhcp_max: 253
diff --git a/releasenotes/notes/lxc_net_manage_iptables-95e52387dcef0015.yaml b/releasenotes/notes/lxc_net_manage_iptables-95e52387dcef0015.yaml
new file mode 100644
index 00000000..2cc4015a
--- /dev/null
+++ b/releasenotes/notes/lxc_net_manage_iptables-95e52387dcef0015.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - The variable ``lxc_net_manage_iptables`` has been added. This variable
+    can be overridden by deployers if system wide iptables rules are already
+    in place or managed by deployers chioce.
diff --git a/templates/lxc-net-bridge.cfg.j2 b/templates/lxc-net-bridge.cfg.j2
index e376ef17..5505833e 100644
--- a/templates/lxc-net-bridge.cfg.j2
+++ b/templates/lxc-net-bridge.cfg.j2
@@ -12,9 +12,13 @@ iface {{ lxc_net_bridge }} inet static
 {% endif %}
 {% if lxc_net_nat | bool %}
     # dnsmasq start and stop
+{% if lxc_net_manage_iptables | bool %}
     post-up /usr/local/bin/lxc-system-manage iptables-create
+{% endif %}
     post-up /usr/local/bin/lxc-system-manage dnsmasq-start || true
+{% if lxc_net_manage_iptables | bool %}
     post-down /usr/local/bin/lxc-system-manage iptables-remove
+{% endif %}
     post-down /usr/local/bin/lxc-system-manage dnsmasq-stop
 {% endif %}
     bridge_fd 0