SHARE
TWEET

ddwrt-guest-router-firewall.sh

eibgrad Nov 12th, 2015 (edited) 583 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. WAN_IF="$(nvram get wan_iface)"
  3. WAN_IP="$(nvram get wan_ipaddr)"
  4. WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
  5.  
  6. PORT_DHCP="67"
  7. PORT_DNS="53"
  8.  
  9. # allow administrative access from wan (prevents lockout)
  10. iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
  11.  
  12. # limit guests to essential router services (icmp, dhcp, dns)
  13. iptables -I INPUT -i br0 -j REJECT
  14. iptables -I INPUT -p icmp -i br0 -j ACCEPT
  15. iptables -I INPUT -p udp  -i br0 --dport $PORT_DHCP -j ACCEPT
  16. iptables -I INPUT -p tcp  -i br0 --dport $PORT_DNS  -j ACCEPT
  17. iptables -I INPUT -p udp  -i br0 --dport $PORT_DNS  -j ACCEPT
  18.  
  19. # deny access to private network by guests (internet only)
  20. iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
  21.  
  22. # deny access to all other private networks by guests (internet only)
  23. iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j REJECT
  24. iptables -I FORWARD -i br0 -d 172.16.0.0/12  -m state --state NEW -j REJECT
  25. iptables -I FORWARD -i br0 -d 10.0.0.0/8     -m state --state NEW -j REJECT
  26.  
  27. # allow access to printer on private network by guests (optional, just an example)
  28. iptables -I FORWARD -i br0 -p tcp -d 192.168.1.100 --dport 9100 \
  29.     -m state --state NEW -j ACCEPT
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top