OSP 7 does not configure iptables or any other firewall on the overcloud bare metal nodes. It is recommended that the provisioning network be protected with an Access Control List (ACL) that allows outbound traffic from the overcloud nodes for DNS, NTP, and updates, but that inbound access be limited.
Since the provisioning network is typically the only routed data path for the compute nodes and storage nodes, this will ensure that the compute and storage nodes are protected.
Customers may also wish to configure firwalls for the controller nodes, in order to limit access to the Public APIs. This can be done with either with a firewall in the data path above the controller nodes, or iptables may be configured on the controllers after deployment.