The router host provides an iptables based firewall that filters traffic for all the ACM public hosts. Generally it can be assumed that a listed publicly accessible host has allowed access to TCP ports 22(SSH), 80(HTTP), and 443(HTTPS). Any additional TCP or UDP application ports that need to be opened for a given host can be configured by an ACM network admin on a per request basis. All port opening requests must include the protocol, TCP, UDP, or both, along with the individual port number.

First gather the list of ports you need on which protocol.

This allows the port to make it through the INPUT chain and onto forwarding.
The affects the INPUT chains for ALL network devices, although loopback is handled prior to this.
Use the -i <interface> flag to restrict the rule to one network interface.

iptables -A <TCP|UDP> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT

iptables -A <TCP|UDP> -p <tcp|udp> -m multiport --dports <port1>,<port2>,...,<portN> -j ACCEPT

If this interface has not been added to the list of interfaces allowed to forward packets between them, you must first add it with.

iptables -A fw-interfaces -i <interface> -j ACCEPT

Afterwards, you can add the rules that forward ports to specific machines.

iptables -A fw-open -d <x.x.x.x/32> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT

iptables -A fw-open -d <x.x.x.x/32> -p <tcp|udp> -m multiport --dports<port1>,<port2>,...,<portN> -j ACCEPT