Your firewall/router by default will block incoming traffic and only allow traffic outbound that is initiated by the internal LAN side. Make sure the firewall is turned on, yes. Especially if this is the final route out to the internet.
So incoming connections initiated by the outside should be dropped by default but you can do a full port scan of your WAN public IP address(es) here: http://www.hackerwatch.org/probe/
That should help you gauge if anything is open or not open.
There are other steps such as ensuring your WAN IP for management purposes on your router isn't accessible (to prevent external access to it by hacking attempts), along with secure passwords instead of the defaults on it. Make sure it's on the latest firmware and ask TP Link if there's any known exploits against that router.
This isn't fullproof by any means, and you'll need to be thorough about your security if you ever change anything or do allow inbound port access for things like VPN, hosted apps (like websites/email), etc.
If you are super concerned or it is a big deal to management, consider hiring a small firm to do a penetration test and security assessment from time to time.
Finally, relax....you are probably a small shop, so don't go crazy trying to create all kinds of layers and customization. Put in place what makes you and management comfortable without being so draconian that people cannot work.
I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.
The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.
If you can't do that for any reason, apply these rules:
iptables -A INPUT -i eth1 -p icmp -j ACCEPT # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP # drop everything else
(SSH's default port is 22 by the way, but I think you know best where your SSH listens.)
On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.
Simple:
iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP
iptables -A INPUT -i eth0 -s 192.168.1.30 -j DROP
That drops all packets from these hosts. If you want ping allowed here as well, use a similar rule for icmp like on eth1.
Best Answer
If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:
assuming
eth0
is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:Of course the
ACCEPT
rule should be added before theDROP
rule. Doing so will prevent you from hosting any service within your network.