diff --git a/dev/functions b/dev/functions
index 3634175c4a533cc491ba42751e34e8ad133df883..347a556325aad36fbc5f595fa51ccb6724c0e664 100644
--- a/dev/functions
+++ b/dev/functions
@@ -664,13 +664,13 @@ function configure_iptables {
     sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
     # open ironic API on baremetal network
     sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
-    # allow IPA to connect to ironic API
-    sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
-    # allow IPA to connect to ironic inspector
-    sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
-    # Docker CE has added a default DROP policy to the FORWARD chain. Allow
-    # DHCP packets to be forwarded across the bridge.
-    sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
+
+    # Docker CE has added a default DROP policy to the FORWARD chain.
+    # When nova-compute runs on the controller, kolla ansible sets the
+    # net.bridge.bridge-nf-call-iptables sysctl to 1, which causes iptables to
+    # process frames forwarded across bridges. Forward all frames on the main
+    # bridge, breth1.
+    sudo iptables -A FORWARD -i breth1 -j ACCEPT || true
 
     # agent ramdisk gets instance image from swift
     sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true