diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml
index 6ccab57..344ecc8 100644
--- a/roles/base/tasks/RedHat.yml
+++ b/roles/base/tasks/RedHat.yml
@@ -8,11 +8,20 @@
     name: "{{ role }}"
   with_items:
     - selinux        # selinux first to get fcontexts working
-    - iptables
     - rsyslog
   loop_control:
     loop_var: role
 
+- name: install firewall
+  ansible.builtin.include_role:
+    name: iptables
+  when: ansible_distribution_major_version|int <= 8
+
+- name: install firewall
+  ansible.builtin.include_role:
+    name: nftables
+  when: ansible_distribution_major_version|int >= 9
+
 - name: fix selinux context from /export
   community.general.sefcontext:
     path: "/export"