diff --git a/bundles/iptables/files/iptables-enforce b/bundles/iptables/files/iptables-enforce
deleted file mode 100644
index ea7a206..0000000
--- a/bundles/iptables/files/iptables-enforce
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/bash
-
-% if not node.metadata.get('iptables/enabled', True):
-exit 0
-% endif
-
-lock_try=0
-while ! mkdir /run/bw-iptables.lock >/dev/null 2>&1
-do
-    ((lock_try++))
-    if (( lock_try == 10 ))
-    then
-        echo 'FATAL: iptables-enforce: Could not get lock!' >&2
-        exit 1
-    fi
-    sleep 1
-done
-trap 'rmdir /run/bw-iptables.lock' EXIT
-
-iptables_both()
-{
-    iptables "$@"
-    ip6tables "$@"
-}
-
-iptables_both -P INPUT DROP
-iptables_both -P OUTPUT ACCEPT
-iptables_both -P FORWARD DROP
-iptables_both -F
-iptables_both -X
-iptables_both -t nat -F
-iptables_both -t nat -X
-iptables_both -t nat -Z
-iptables_both -t filter -F
-iptables_both -t filter -X
-iptables_both -t filter -Z
-iptables_both -t mangle -F
-iptables_both -t mangle -X
-iptables_both -t mangle -Z
-
-# Workaround for CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
-# https://www.openwall.com/lists/oss-security/2019/06/17/5
-# https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html
-iptables_both -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
-
-# Dummy rules to make sure the conntrack table(s) will be updated.
-iptables_both -I INPUT -m state --state NEW,ESTABLISHED,RELATED
-iptables_both -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED
-iptables_both -I FORWARD -m state --state NEW,ESTABLISHED,RELATED
-
-# open up local loopback
-iptables_both -A INPUT -i lo -j ACCEPT
-
-# Set Up counting rules
-% for ip in sorted(ipv4):
-iptables -A INPUT -d ${ip}
-iptables -A OUTPUT -s ${ip}
-% endfor
-
-% for ip in sorted(ipv6):
-ip6tables -A INPUT -d ${ip}
-ip6tables -A OUTPUT -s ${ip}
-% endfor
-
-iptables -A INPUT -p ICMP --icmp-type timestamp-request -j DROP
-iptables -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP
-# allow ICMP -- answers for IPv4 are covered by conntrack
-iptables -A INPUT -p icmp -j ACCEPT
-
-# ICMP6 is used for so many things, we should under no circumstances
-# ignore it and thus should not rely on any conntrack heuristics.
-ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
-
-# Allow incoming answers. Install this first (before the larger ruleset
-# from /etc/network/iptables-rules.d/), so that iptables can match/exit
-# early.
-iptables_both -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-shopt -s nullglob
-for i in /etc/iptables-rules.d/*
-do
-    . "$i"
-done
-
-cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -
diff --git a/bundles/iptables/files/iptables-enforce.service b/bundles/iptables/files/iptables-enforce.service
deleted file mode 100644
index 6eeac90..0000000
--- a/bundles/iptables/files/iptables-enforce.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Run iptables-enforce after networkd startup
-Requires=network-online.target
-After=network-online.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/sbin/iptables-enforce
-
-[Install]
-WantedBy=multi-user.target
diff --git a/bundles/iptables/items.py b/bundles/iptables/items.py
deleted file mode 100644
index 7e9a647..0000000
--- a/bundles/iptables/items.py
+++ /dev/null
@@ -1,66 +0,0 @@
-directories = {
-    '/etc/iptables-rules.d': {
-        'purge': True,
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    },
-}
-
-files = {
-    '/etc/systemd/system/iptables-enforce.service': {
-        'triggers': {
-            'action:systemd-reload',
-        },
-    },
-    '/usr/local/sbin/iptables-enforce': {
-        'content_type': 'mako',
-        'context': repo.libs.tools.resolve_identifier(repo, node.name),
-        'mode': '0700',
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    },
-}
-
-enforce_deps = {
-    'directory:/etc/iptables-rules.d',
-    'file:/usr/local/sbin/iptables-enforce',
-}
-
-for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
-    files[f'/etc/iptables-rules.d/20-{bundle}'] = {
-        # We must never use sorted() here. Bundles might rely on their order.
-        'content': '\n'.join(rules) + '\n',
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    }
-    enforce_deps.add(f'file:/etc/iptables-rules.d/20-{bundle}')
-
-if 'custom_rules' in node.metadata.get('iptables', {}):
-    files['/etc/iptables-rules.d/40-custom'] = {
-        'content': '\n'.join(node.metadata['iptables']['custom_rules']) + '\n',
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    }
-    enforce_deps.add('file:/etc/iptables-rules.d/40-custom')
-
-
-actions = {
-    'iptables_enforce': {
-        'command': '/usr/local/sbin/iptables-enforce',
-        'triggered': True,
-        'needs': enforce_deps,
-    },
-}
-
-svc_systemd = {
-    'iptables-enforce': {
-        'running': None,
-        'needs': {
-            'file:/etc/systemd/system/iptables-enforce.service',
-        },
-    },
-}
diff --git a/bundles/iptables/metadata.py b/bundles/iptables/metadata.py
deleted file mode 100644
index e5615a0..0000000
--- a/bundles/iptables/metadata.py
+++ /dev/null
@@ -1,61 +0,0 @@
-from bundlewrap.exceptions import BundleError
-
-defaults = {
-    'pacman': {
-        'packages': {
-            'iptables': {},
-        },
-    },
-}
-
-@metadata_reactor.provides(
-    'iptables/bundle_rules/iptables',
-)
-def port_rules_to_iptables(metadata):
-    # Using this, bundles can simply set up port based rules. This
-    # reactor will then take care of converting those rules to actual
-    # iptables rules
-    ruleset = set()
-
-    # Plese note we do not set any defaults for ports. Bundles are
-    # expected to know themselves which default to use.
-    for portdef, targets in metadata.get('iptables/port_rules', {}).items():
-        if '/' in portdef:
-            port, proto = portdef.split('/', 2)
-
-            if proto not in {'udp'}:
-                raise BundleError(f'iptables/port_rules: illegal identifier {portdef} in metadata for {node.name}')
-        else:
-            port = portdef
-            proto = 'tcp'
-
-        for target in targets:
-            if port == '*' and target == '*':
-                raise BundleError('iptables/port_rules: setting both port and target to * is unsupported')
-
-            comment = f'-m comment --comment "iptables port_rules {target}"'
-
-            if port != '*':
-                port_str = f'--dport {port}'
-            else:
-                port_str = ''
-
-            if target == '*':
-                ruleset.add(f'iptables_both -A INPUT -p {proto} {port_str} {comment} -j ACCEPT')
-            else:
-                resolved = repo.libs.tools.resolve_identifier(repo, target)
-
-                for address in resolved['ipv4']:
-                    ruleset.add(f'iptables -A INPUT -p {proto} -s {address} {port_str} {comment} -j ACCEPT')
-
-                for address in resolved['ipv6']:
-                    ruleset.add(f'ip6tables -A INPUT -p {proto} -s {address} {port_str} {comment} -j ACCEPT')
-
-    return {
-        'iptables': {
-            'bundle_rules': {
-                # order does not matter here.
-                'iptables': list(sorted(ruleset)),
-            },
-        },
-    }