diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml
index 83f47e6b62..2314190b2e 100644
--- a/playbooks/group_vars/afs.yaml
+++ b/playbooks/group_vars/afs.yaml
@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
diff --git a/playbooks/group_vars/afsdb.yaml b/playbooks/group_vars/afsdb.yaml
index 83f47e6b62..2314190b2e 100644
--- a/playbooks/group_vars/afsdb.yaml
+++ b/playbooks/group_vars/afsdb.yaml
@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
diff --git a/playbooks/group_vars/all.yaml b/playbooks/group_vars/all.yaml
index a66b58e0ad..292b3507c4 100644
--- a/playbooks/group_vars/all.yaml
+++ b/playbooks/group_vars/all.yaml
@@ -17,6 +17,17 @@ iptables_base_allowed_hosts:
 iptables_extra_allowed_hosts: []
 iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
 
+iptables_base_public_tcp_ports: []
+iptables_extra_public_tcp_ports: []
+# iptables_test_public_tcp_ports is here only to allow the test
+# framework to inject an iptables rule to allow zuul console
+# streaming.  Do not use it otherwise.
+iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}"
+
+iptables_base_public_udp_ports: []
+iptables_extra_public_udp_ports: []
+iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
+
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:
diff --git a/playbooks/group_vars/eavesdrop.yaml b/playbooks/group_vars/eavesdrop.yaml
index afaf3290b0..2ff4864007 100644
--- a/playbooks/group_vars/eavesdrop.yaml
+++ b/playbooks/group_vars/eavesdrop.yaml
@@ -1,2 +1,2 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
diff --git a/playbooks/group_vars/firehose.yaml b/playbooks/group_vars/firehose.yaml
index a4cb95ce0f..4bfb2382b1 100644
--- a/playbooks/group_vars/firehose.yaml
+++ b/playbooks/group_vars/firehose.yaml
@@ -17,7 +17,7 @@ exim_transports:
       socket = /var/run/cyrus/socket/lmtp
       user = cyrus
       batch_max = 35
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 443
diff --git a/playbooks/group_vars/gerrit.yaml b/playbooks/group_vars/gerrit.yaml
index 124327e5ae..477b3d450e 100644
--- a/playbooks/group_vars/gerrit.yaml
+++ b/playbooks/group_vars/gerrit.yaml
@@ -2,7 +2,7 @@ exim_extra_aliases:
   gerrit2: root
 iptables_rules:
   - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 29418
diff --git a/playbooks/group_vars/git-loadbalancer.yaml b/playbooks/group_vars/git-loadbalancer.yaml
index 8edb0426ae..3baea5cb13 100644
--- a/playbooks/group_vars/git-loadbalancer.yaml
+++ b/playbooks/group_vars/git-loadbalancer.yaml
@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 9418
diff --git a/playbooks/group_vars/git-server.yaml b/playbooks/group_vars/git-server.yaml
index 775ba85f5e..2d5a84276c 100644
--- a/playbooks/group_vars/git-server.yaml
+++ b/playbooks/group_vars/git-server.yaml
@@ -1,5 +1,5 @@
 ansible_python_interpreter: python2
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 4443
   - 8080
   - 29418
diff --git a/playbooks/group_vars/kdc.yaml b/playbooks/group_vars/kdc.yaml
index d9245cb1d8..33fc460c88 100644
--- a/playbooks/group_vars/kdc.yaml
+++ b/playbooks/group_vars/kdc.yaml
@@ -1,9 +1,9 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 88
   - 464
   - 749
   - 754
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 88
   - 464
   - 749
diff --git a/playbooks/group_vars/logstash.yaml b/playbooks/group_vars/logstash.yaml
index 0a1a59002e..2ecc468fb5 100644
--- a/playbooks/group_vars/logstash.yaml
+++ b/playbooks/group_vars/logstash.yaml
@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 3306
 iptables_extra_allowed_hosts:
diff --git a/playbooks/group_vars/mailman.yaml b/playbooks/group_vars/mailman.yaml
index 127111ce1b..a3a089e0d7 100644
--- a/playbooks/group_vars/mailman.yaml
+++ b/playbooks/group_vars/mailman.yaml
@@ -2,7 +2,7 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 465
diff --git a/playbooks/group_vars/mirror.yaml b/playbooks/group_vars/mirror.yaml
index 3e696348c4..ec2b85c27c 100644
--- a/playbooks/group_vars/mirror.yaml
+++ b/playbooks/group_vars/mirror.yaml
@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 8080
   - 8081
diff --git a/playbooks/group_vars/ns.yaml b/playbooks/group_vars/ns.yaml
index 2dc09d9b08..416da9c806 100644
--- a/playbooks/group_vars/ns.yaml
+++ b/playbooks/group_vars/ns.yaml
@@ -1,2 +1,4 @@
-iptables_public_ports:
+iptables_extra_public_tcp_ports:
+  - 53
+iptables_extra_public_udp_ports:
   - 53
diff --git a/playbooks/group_vars/pbx.yaml b/playbooks/group_vars/pbx.yaml
index 827e00a387..5e59086bac 100644
--- a/playbooks/group_vars/pbx.yaml
+++ b/playbooks/group_vars/pbx.yaml
@@ -1,7 +1,7 @@
 # SIP signaling is either TCP or UDP port 5060.
 # RTP media (audio/video) uses a range of UDP ports.
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 5060
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 5060
   - 10000:20000
diff --git a/playbooks/group_vars/webservers.yaml b/playbooks/group_vars/webservers.yaml
index 418fca0b98..c216395298 100644
--- a/playbooks/group_vars/webservers.yaml
+++ b/playbooks/group_vars/webservers.yaml
@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 22
   - 80
   - 443
diff --git a/playbooks/group_vars/zuul-executor.yaml b/playbooks/group_vars/zuul-executor.yaml
index 999385d702..2d320ec06b 100644
--- a/playbooks/group_vars/zuul-executor.yaml
+++ b/playbooks/group_vars/zuul-executor.yaml
@@ -1,3 +1,3 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 7900
diff --git a/playbooks/group_vars/zuul-scheduler.yaml b/playbooks/group_vars/zuul-scheduler.yaml
index b78de230c2..530a8997d7 100644
--- a/playbooks/group_vars/zuul-scheduler.yaml
+++ b/playbooks/group_vars/zuul-scheduler.yaml
@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 80
   - 443
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index f1caf79f96..6c1a87da10 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -36,6 +36,7 @@
         bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
         bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
         bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
+        iptables_test_public_tcp_ports: [19885]
       template:
         src: "templates/{{ item }}.j2"
         dest: "/etc/ansible/hosts/{{ item }}"
diff --git a/playbooks/zuul/templates/group_vars/all.yaml.j2 b/playbooks/zuul/templates/group_vars/all.yaml.j2
index 42d75091d7..1f077ff3f9 100644
--- a/playbooks/zuul/templates/group_vars/all.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/all.yaml.j2
@@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }}
 bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
+iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
index 6ecdb76452..d660a5242c 100644
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@@ -75,11 +75,10 @@ def test_iptables(host):
     reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
     assert reject in rules
 
-    # Make sure that the zuul console stream rule has been removed
-    # from the test node
+    # Make sure that the zuul console stream rule is still present
     zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
             ' -m tcp --dport 19885 -j ACCEPT')
-    assert zuul not in rules
+    assert zuul in rules
 
     # Ensure all IPv4 addresses for cacti are allowed
     for ip in get_ips('cacti.openstack.org', socket.AF_INET):