diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index e8ae8590e06e1a969f4c4bfdb340f9b33cdefe6b..e66eba2c6e55291af287b1a21fe32dbffcb0f6a7 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
 ironic_enable_rolling_upgrade: "yes"
 ironic_inspector_kernel_cmdline_extras: []
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
+ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"
 
 ####################
 ## Kolla
diff --git a/ansible/roles/ironic/tasks/deploy.yml b/ansible/roles/ironic/tasks/deploy.yml
index 0d80b23c11d7c57d85356e6db6e7061141f12748..f4c0d8ca648808059f13f7b837ea3fd14cdccc53 100644
--- a/ansible/roles/ironic/tasks/deploy.yml
+++ b/ansible/roles/ironic/tasks/deploy.yml
@@ -21,3 +21,20 @@
 
 - name: Flush handlers
   meta: flush_handlers
+
+# NOTE(mgoddard): If inspector was previously configured to use the iptables
+# PXE filter, it may leave rules in place that block inspection. Clean them up.
+# The iptables Ansible module is not idempotent - it fails if the chain does
+# not exist, so use a command instead.
+- name: Flush and delete ironic-inspector iptables chain
+  become: true
+  command: iptables --{{ item }} ironic-inspector
+  register: ironic_inspector_chain
+  with_items:
+    - flush
+    - delete-chain
+  when: ironic_inspector_pxe_filter != 'iptables'
+  changed_when: ironic_inspector_chain.rc == 0
+  failed_when:
+    - ironic_inspector_chain.rc != 0
+    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"
diff --git a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
index 9b0fad9e02e081245400dc7c81a0ec9c4b825e7b..99a8b66bb4f592d2d32a5bd3fa21752eebafd8d8 100644
--- a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
+++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
@@ -4,5 +4,14 @@ features:
     Adds support for the `Ironic Inspector dnsmasq PXE filter
     <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
     that provides improved scalability over the default IPTables PXE filter.
-    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
-    ``dnsmasq``.
+    This is now used by default instead of the ``iptables`` PXE filter.
+    The ``iptables`` filter can be enabled by setting
+    ``ironic_inspector_pxe_filter`` to ``iptables``.
+upgrade:
+  - |
+    The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
+    than ``iptables``.  This change has been made to work around an issue
+    introduced by moving to Docker CE, where the daemon sets the default
+    policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
+    interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
+    packets from bare metal nodes to get dropped, which prevents provisioning.