diff --git a/patches/systemvm/debian/config/root/loadbalancer.sh b/patches/systemvm/debian/config/root/loadbalancer.sh
index adbd764ea8d..41ad4d34b2a 100755
--- a/patches/systemvm/debian/config/root/loadbalancer.sh
+++ b/patches/systemvm/debian/config/root/loadbalancer.sh
@@ -72,11 +72,33 @@ ip_entry() {
   
   return 0
 }
-
+fw_remove_backup() {
+  for vif in $VIF_LIST; do 
+    iptables -F back_load_balancer_$vif 2> /dev/null
+    iptables -D INPUT -i $vif -p tcp  -j back_load_balancer_$vif 2> /dev/null
+    iptables -X back_load_balancer_$vif 2> /dev/null
+  done
+  iptables -F back_lb_stats 2> /dev/null
+  iptables -D INPUT -i $STAT_IF -p tcp  -j back_lb_stats 2> /dev/null
+  iptables -X back_lb_stats 2> /dev/null
+}
+fw_restore() {
+  for vif in $VIF_LIST; do 
+    iptables -F load_balancer_$vif 2> /dev/null
+    iptables -D INPUT -i $vif -p tcp  -j load_balancer_$vif 2> /dev/null
+    iptables -X load_balancer_$vif 2> /dev/null
+    iptables -E back_load_balancer_$vif load_balancer_$vif 2> /dev/null
+  done
+  iptables -F lb_stats 2> /dev/null
+  iptables -D INPUT -i $STAT_IF -p tcp  -j lb_stats 2> /dev/null
+  iptables -X lb_stats 2> /dev/null
+  iptables -E back_lb_stats lb_stats 2> /dev/null
+}
 # firewall entry to ensure that haproxy can receive on specified port
 fw_entry() {
   local added=$1
   local removed=$2
+  local stats=$3
   
   if [ "$added" == "none" ]
   then
@@ -90,16 +112,29 @@ fw_entry() {
   
   local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
   local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
- 
+
+# back up the iptable rules by renaming before creating new. 
+  for vif in $VIF_LIST; do 
+    iptables -E load_balancer_$vif back_load_balancer_$vif 2> /dev/null
+    iptables -N load_balancer_$vif 2> /dev/null
+    iptables -A INPUT -i $vif -p tcp  -j load_balancer_$vif
+  done
+  iptables -E lb_stats back_lb_stats 2> /dev/null
+  iptables -N lb_stats 2> /dev/null
+  iptables -A INPUT -i $STAT_IF -p tcp  -j lb_stats
+
   for i in $a
   do
     local pubIp=$(echo $i | cut -d: -f1)
-    local dport=$(echo $i | cut -d: -f2)
-    logger -t cloud "Opening up firewall $pubIp:$dport (INPUT chain) for load balancing" 
+    local dport=$(echo $i | cut -d: -f2)    
+    local cidrs=$(echo $i | cut -d: -f3 | sed 's/-/,/')
     
     for vif in $VIF_LIST; do 
-      sudo iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
-      sudo iptables -A INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
+
+#TODO : The below delete will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
+      iptables -D INPUT -i $vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
+
+      iptables -A load_balancer_$vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT
       
       if [ $? -gt 0 ]
       then
@@ -107,18 +142,24 @@ fw_entry() {
       fi
     done      
   done
+  local pubIp=$(echo $stats | cut -d: -f1)
+  local dport=$(echo $stats | cut -d: -f2)    
+  local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
+  iptables -A lb_stats -s $cidrs -p tcp -m state --state NEW -d $pubIp --dport $dport -j ACCEPT
+ 
 
+#TODO : The below delete in the for-loop  will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
   for i in $r
   do
     local pubIp=$(echo $i | cut -d: -f1)
-    local dport=$(echo $i | cut -d: -f2)
-    logger -t cloud "Closing up firewall (INPUT chain) $pubIp:$dport for deleted load balancers" 
+    local dport=$(echo $i | cut -d: -f2)    
+    local cidrs=$(echo $i | cut -d: -f3 | sed 's/-/,/')
     
     for vif in $VIF_LIST; do 
-      sudo iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
+      iptables -D INPUT -i $vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
     done
   done
-  
+ 
   return 0
 }
 
@@ -182,7 +223,9 @@ do
 		cfgfile="$OPTARG"
 		;;
 
-  s)	sflag=1;;
+  s)	sflag=1
+		statsIp="$OPTARG"
+		;;
   ?)	usage
 		exit 2
 		;;
@@ -217,7 +260,8 @@ if [ "$VIF_LIST" == "eth0"  ]
 then
    ip_entry $addedIps $removedIps
 fi
-
+# FIXME make the load balancer stat interface generic
+STAT_IF="eth0"
 
 # hot reconfigure haproxy
 reconfig_lb $cfgfile
@@ -234,7 +278,7 @@ then
 fi
 
 # iptables entry to ensure that haproxy receives traffic
-fw_entry $addedIps $removedIps
+fw_entry $addedIps $removedIps $statsIp
   	
 if [ $? -gt 0 ]
 then
@@ -243,8 +287,8 @@ then
   restore_lb
 
   logger -t cloud "Reverting firewall config"
-  # Revert iptables rules on DomR, with addedIps and removedIps swapped 
-  fw_entry $removedIps $addedIps
+  # Revert iptables rules on DomR
+  fw_restore
 
   #FIXME: make this explicit via check on vm type or passed in flag
   if [ "$VIF_LIST" == "eth0"  ]
@@ -254,6 +298,9 @@ then
   fi
 
   exit 1
+else
+  # Remove backedup iptable rules
+  fw_remove_backup
 fi
  
 exit 0