Hi all,

I just want to allow only some udp ports and deny all tcp access as my script below:

The problem is that I can't register my SIP phone via udp ports below.
If I omit "-A INPUT -p udp -m udp -d 192.168.1.100 -j DROP", my SIP phone can register to Asterisk server.
What am I doing wrong? Help please?

Regards,
Amigota

Once you put this rule in place:
Assuming this is on the machine with the ip 192.168.1.100, otherwise it wouldn't have much effect, your eth1 interface is unable to communicate at all. Network traffic is bi-directional. You can't only allow inputs and not output.

Iptables works like a waterfall. It tries to match against the first rule in the list. If it is successful, it stops, even if this rule is a drop rule and there is an equivalent accept rule below it.

Can you guys guide me please?

Supposed I have 2 network interfaces eth0 and eth1. I just want to deny all traffic to/from eth1, except udp 5060 and udp 10000-20000. eth0 is full access.

Thanks

You seem to have already gained a moderate understanding of iptables, which is important. To improve upon your understanding I would recommend this excellent tutorial on iptables: http://bodhizazen.net/Tutorials/iptables

The next thing you would need to focus on is what are you trying to protect against. While you consider this, realize that firewalls in Linux have a slightly different focus than they typically do in other environments, like Windows in particular. The firewall should be an added layer of protection, fortifying the ports that are already closed; not as the primary barrier around an unprotected system.

Blocking inbound traffic is generally pretty easy. Your input rules will do this. I would recommend three modifications for you to consider depending on your network structure and needs or desires:
1 - if iptables is running on the machine 192.168.1.100, you can drop the -s 192.168.1.100 portion to make the rule more generic. Strictly speaking, it doesn't hurt, but with it only traffic being directed to this address will be filtered. Presumably, the upstream switch wouldn't even put traffic on the wire that wasn't directed towards this machine. If the machine is functioning as a router, e.g. in on eth0 and out on eth1, while providing NAT, this may not be practical.

2 -at the end of your rules, you can add -A INPUT -j DROP to remove all other traffic than what has been white listed above. Again, specifying an address may be redundant and would cause broadcast and multicast traffic, which is not directed at a single IP to still be passed which may not be what you want.

3 - consider adding an established, related stanza towards the top of your input block. If you have outbound traffic that originated at your machine, the inbound traffic will return on an unknown, but typically higher port number. The tutorial referenced will discuss this, but for example: .

Blocking outbound traffic can be a little trickier and you need to consider this one carefully. First will the traffic be in response to inbound traffic only or is the machine capable of generating traffic on its own? This is one of the most common needs for firewalls, especially the software variety, on Windows: to keep applications from "phoning home." While this could still happen on Linux, it isn't as prevalent in terms of mal-ware. Your distribution's update notify too, for example, would make use of this function. If your system is a server, responding to requests on standard ports, the outbound response will be on a higher order, random, port number. If you block traffic to all but a particular range, you may break your applications. If you want to restrict access away from some services, e.g. not allow telnet on port 23, you could block those ports in your output rules. The rules works the same way as in the input chain, it is just that you need to be extra careful in thinking about how the closed communication circuit (including return path) will work.