iptables: allow certain ips and block all other connection

Another way is to make policies.  So you make a policy that everything is dropped.  Then you explicitly allow a few connections.
 

# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

Select allOpen in new window

Then you allow some traffic

# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

Select allOpen in new window

I run an Asterisk server for my small business, would this be a good way to prevent unauthorized access to my system?

Of course.  You should NEVER take network security for granted.  You should block IPs that are not valuable and also block all the ports that are not used.  Obviously you would not want your system to be compromised and multiple layers of security is better.

I agree completely with farzanj.

Since you're talking about an Asterisk server, if you have AIX2 or SIP ports exposed on the internet (for remote phones, and/or connections to a VOIP provider, and/or connections to another PBX), it would be particularly prudent to restrict access for those ports to specific IPs if you can.

For SIP, a large range of UDP ports is needed for allowing (voice) data transfer between endpoints after establishing a session (a symptom of a problem with this is being able to dial, but there's no sound). The default range for this if I recall correctly is 16384 - 32768, but it could be different (if you're connecting to a SIP provider check what they require also). Some router/firewalls have SIP "helpers" that if enabled, automatically open these data ports for established sessions - if you have this available, it is preferable over having to open the large range of ports outright.

If I block all IPs except for a few essential IPs that are needed to run Asterisk, why should I have rules to block unnecessary ports too?

Because, if a hacker uses simple packet sniffing utilities to sniff the packets coming to your network, will have a pretty good idea as to what IP addresses get accepted at your network.  He will then use another simple utility to scan all the ports--standard procedure before hacking.  Then he would spoof packets with the acceptable IP address and open ports to launch his attach.  Hackers play all kind of games.  We as security guys try to keep it as restricted as possible to make their game a little harder.

You should have NO services running that are not being used.  They only open ports and make it an easy target of an attack

I tend to agree with farzanj

However I also believe you should balance usage with security.

This said, how about adding a file with all the ip addresses you want open?

you can use the attached code snips examples to do that.

IPFILE: (assume here are the ip addresses you want open)
100.100.100.100
101.101.101.101
...

Select allOpen in new window

Iptables Script:

# Start of script

# Variables
ipt=$(which iptables)
# Policys
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT # I avoid problems with this

# Examine the IP addresses file and open input to those ip's
cat IPFILE | while read ip; do
  $ipt -A INPUT -s $ip -j ACCEPT
done

# End of script

Select allOpen in new window