*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 10.8.122.36  -j ACCEPT
-A INPUT -s 10.8.122.37  -j ACCEPT
-A INPUT -s 10.8.122.45 -j ACCEPT
-A INPUT -s 10.8.122.46   -j ACCEPT
-A INPUT -s 10.8.122.38   -j ACCEPT
-A OUTPUT -d 10.8.122.36  -j ACCEPT
-A OUTPUT -d 10.8.122.37  -j ACCEPT
-A OUTPUT -d 10.8.122.45 -j ACCEPT
-A OUTPUT -d 10.8.122.46   -j ACCEPT
-A OUTPUT -d 10.8.122.38   -j ACCEPT

-A INPUT -i eth0 -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -i lo   -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#VRRP multicast for keepalived
-A INPUT -d 224.0.0.18/32 -s 192.168.25.14/32 -j ACCEPT
-A INPUT -d 224.0.0.18/32 -s 192.168.25.15/32 -j ACCEPT
#IPVS connection syncing for keepalived
-A INPUT -d 224.0.0.81/32 -s 192.168.25.14/32 -j ACCEPT
-A INPUT -d 224.0.0.81/32 -s 192.168.25.15/32 -j ACCEPT
#All connections for balanced IPs
-A INPUT -d 192.168.25.16/32 -j ACCEPT


-A INPUT -p udp --dport 0:1024 -j REJECT
-A INPUT -p tcp --dport 0:1024 -j REJECT
-A INPUT -p udp --dport 8649   -j REJECT
COMMIT


#fwmark stuff for avoiding packet storm with combined LVS director/realserver and keepalived
#we need to exclude traffic for the VIP, from the other director's MAC, from the stuff that's getting balanced by LVS
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.25.16/32 -p tcp -m tcp --dport 22 -m mac ! --mac-source 90:B1:1C:CB:BC:43 -j MARK --set-xmark 0x96

COMMIT

