Linux – Shorewall drop all incoming traffic from one internet IP except for all local host except two

If you really want to block all incoming traffic from the WAN (or Internet), you can simply add a rule like the the following:

$ iptables -A INPUT -i eth0 -j DROP

assuming eth0 is the WAN interface. This is enough to block all incoming traffic. However, you need to allow all related/established connections to be able to request some service from the WAN/Internet. So, you need a rule like:

$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Of course the ACCEPT rule should be added before the DROP rule. Doing so will prevent you from hosting any service within your network.

I wanted to block all the incoming route to eth1 but only allow port 21. Just so that external IP can't access to our web server, ftp server, etc. Only allow port 21 for SSH access. Ping should work too.

The cleanest way would be to configure the web/ftp-servers to listen only on the internal interface. This way, you wouldn't have to worry about any networking related techniques at all.

If you can't do that for any reason, apply these rules:

iptables -A INPUT -i eth1 -p icmp -j ACCEPT           # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP                     # drop everything else

(SSH's default port is 22 by the way, but I think you know best where your SSH listens.)

On the local network (eth0), anyone should be able to access anything but just block local ip's 192.168.1.20 and 192.168.1.30 from accessing to 192.168.1.50 server.

Simple:

iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP 
iptables -A INPUT -i eth0 -s 192.168.1.30 -j DROP

That drops all packets from these hosts. If you want ping allowed here as well, use a similar rule for icmp like on eth1.