If conntrack can track the TFTP sessions, then you should be able to filter it using -m state in iptables. iptables -A ... -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A ... -m state --state NEW -p udp --dport 69 -j ACCEPT You can have one rule in INPUT and the other in OUTPUT, or both in FORWARD with different -i and -o interfaces. If you give more details on your current topology, what's the access you want to allow, and what are your current rules, it might be easier to help you accomplish that exactly. HTH, Filipe