*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
:openstack-OUTPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 4444 -j ACCEPT
# Public UDP ports
# Per-host ingress rules
-A openstack-INPUT -m udp -p udp -s 2001:4800:7821:105:be76:4eff:fe04:b9a5 --dport 161 -j ACCEPT
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
# Egress filtering
-A OUTPUT -j openstack-OUTPUT
# Per-host egress rules
-A openstack-OUTPUT -o lo -j ACCEPT
-A openstack-OUTPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
COMMIT