diff --git a/.gitignore b/.gitignore
index b1a6de71d..9b7e34874 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,7 +12,6 @@ build
 eggs
 parts
 bin
-var
 sdist
 develop-eggs
 .installed.cfg
diff --git a/elements/undercloud-stack-config/os-apply-config/var/opt/undercloud-stack/masquerade b/elements/undercloud-stack-config/os-apply-config/var/opt/undercloud-stack/masquerade
new file mode 100644
index 000000000..9481021f3
--- /dev/null
+++ b/elements/undercloud-stack-config/os-apply-config/var/opt/undercloud-stack/masquerade
@@ -0,0 +1,22 @@
+# In case this script crashed or was interrupted earlier, flush, unlink and
+# delete the temp chain.
+iptables -t nat -F BOOTSTACK_MASQ_NEW || true
+iptables -t nat -D POSTROUTING -j BOOTSTACK_MASQ_NEW || true
+iptables -t nat -X BOOTSTACK_MASQ_NEW || true
+iptables -t nat -N BOOTSTACK_MASQ_NEW
+# Build the chain we want.
+{{#bootstack.masquerade_networks}}
+NETWORK={{.}}
+# Workaround iptables not permitting two -d parameters in one call.
+iptables -t nat -A BOOTSTACK_MASQ_NEW -s $NETWORK -d 192.168.122.1 -j RETURN
+iptables -t nat -A BOOTSTACK_MASQ_NEW -s $NETWORK ! -d $NETWORK -j MASQUERADE
+{{/bootstack.masquerade_networks}}
+# Link it in.
+iptables -t nat -I POSTROUTING -j BOOTSTACK_MASQ_NEW
+# Delete the old chain if present.
+iptables -t nat -F BOOTSTACK_MASQ || true
+iptables -t nat -D POSTROUTING -j BOOTSTACK_MASQ || true
+iptables -t nat -X BOOTSTACK_MASQ || true
+# Rename the new chain into permanence.
+iptables -t nat -E BOOTSTACK_MASQ_NEW BOOTSTACK_MASQ
+
diff --git a/elements/undercloud-stack-config/os-refresh-config/post-configure.d/80-seedstack-masquerade b/elements/undercloud-stack-config/os-refresh-config/post-configure.d/80-seedstack-masquerade
new file mode 100755
index 000000000..09dff27df
--- /dev/null
+++ b/elements/undercloud-stack-config/os-refresh-config/post-configure.d/80-seedstack-masquerade
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eux
+
+RULES_SCRIPT=/var/opt/undercloud-stack/masquerade
+
+. $RULES_SCRIPT