system-config/playbooks/roles/iptables/templates/rules.v4.j2

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
:openstack-OUTPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host ingress rules
{% for rule in iptables_rules_v4 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_a -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
{% for group in iptables_allowed_groups -%}
{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v4') -%}
{% if addr -%}
-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
{% endif -%}
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
# Egress filtering
-A OUTPUT -j openstack-OUTPUT
# Per-host egress rules
{% for rule in iptables_egress_rules_v4 -%}
-A openstack-OUTPUT {{ rule }}
{% endfor -%}
COMMIT