diff --git a/inventory/builders b/inventory/builders
index 909c684622..956d794748 100644
--- a/inventory/builders
+++ b/inventory/builders
@@ -448,6 +448,35 @@ buildvm-x86-riscv02.iad2.fedoraproject.org
 
 [buildvm_x86_riscv_rdu3]
 
+[builders_iad2:children]
+buildvm_iad2
+buildvm_aarch64_iad2
+buildhw_iad2
+buildvm_ppc64le_iad2
+buildvm_x86_riscv_iad2
+
+[builders_iad2_stg:children]
+buildvm_stg_iad2
+buildvm_aarch64_stg_iad2
+buildvm_ppc64le_stg_iad2
+
+[builders_rdu3:children]
+buildvm_rdu3
+buildvm_aarch64_rdu3
+buildhw_rdu3
+buildvm_ppc64le_rdu3
+buildvm_x86_riscv_rdu3
+
+[builders_iad2_stg:children]
+buildvm_stg_iad2
+buildvm_aarch64_stg_iad2
+buildvm_ppc64le_stg_iad2
+
+[builders_rdu3_stg:children]
+buildvm_stg_rdu3
+buildvm_aarch64_stg_rdu3
+buildvm_ppc64le_stg_rdu3
+
 [builders:children]
 buildhw
 buildvm
diff --git a/roles/base/templates/nftables/nftables.kojibuilder b/roles/base/templates/nftables/nftables.kojibuilder
index dbdbfd1412..79f7096367 100644
--- a/roles/base/templates/nftables/nftables.kojibuilder
+++ b/roles/base/templates/nftables/nftables.kojibuilder
@@ -55,6 +55,7 @@ add rule ip filter OUTPUT ip daddr 10.3.169.106 tcp dport 80 counter accept
 add rule ip filter OUTPUT ip daddr 10.3.169.107 tcp dport 80 counter accept
 {% endif %}
 
+{% if host in groups['builders_iad2'] %}
 # tang for buildhw
 add rule ip filter OUTPUT ip daddr 10.3.163.37 tcp dport 80 counter accept
 add rule ip filter OUTPUT ip daddr 10.3.163.38 tcp dport 80 counter accept
@@ -78,6 +79,32 @@ add rule ip filter OUTPUT ip daddr 10.3.163.39 tcp dport 514 counter accept
 # SSH
 add rule ip filter  INPUT ip saddr 10.3.160.0/19 tcp dport 22 counter accept
 add rule ip filter OUTPUT ip daddr 10.3.160.0/19 tcp sport 22 counter accept
+{% endif %}
+{% if host in groups['builders_rdu3'] %}
+# tang for buildhw
+add rule ip filter OUTPUT ip daddr 10.16.163.37 tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.163.38 tcp dport 80 counter accept
+
+# DNS
+add rule ip filter OUTPUT ip daddr 10.16.163.33 udp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.163.33 tcp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.163.34 udp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.163.34 tcp dport 53 counter accept
+
+# bastion smtp
+add rule ip filter OUTPUT ip daddr 10.16.163.31 tcp dport 25 counter accept
+
+# infra.fp.o
+add rule ip filter OUTPUT ip daddr 10.16.163.35 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.163.35 tcp dport 443 counter accept
+
+# rsyslog out to log01
+add rule ip filter OUTPUT ip daddr 10.16.163.39 tcp dport 514 counter accept
+
+# SSH
+add rule ip filter  INPUT ip saddr 10.16.160.0/19 tcp dport 22 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.160.0/19 tcp sport 22 counter accept
+{% endif %}
 
 {% if inventory_hostname.startswith (('buildvm-s390x-11', 'buildvm-s390x-12', 'buildvm-s390x-13')) %}
 # Allow SSHFS binding to koji01