ddwrt-guest-router-firewall.sh

1. #!/bin/sh
2. WAN_IF="$(nvram get wan_iface)"
3. WAN_IP="$(nvram get wan_ipaddr)"
4. WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
5.  
6. PORT_DHCP="67"
7. PORT_DNS="53"
8.  
9. # allow administrative access from wan (prevents lockout)
10. iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
11.  
12. # limit guests to essential router services (icmp, dhcp, dns)
13. iptables -I INPUT -i br0 -j REJECT
14. iptables -I INPUT -p icmp -i br0 -j ACCEPT
15. iptables -I INPUT -p udp  -i br0 --dport $PORT_DHCP -j ACCEPT
16. iptables -I INPUT -p tcp  -i br0 --dport $PORT_DNS  -j ACCEPT
17. iptables -I INPUT -p udp  -i br0 --dport $PORT_DNS  -j ACCEPT
18.  
19. # deny access to private network by guests (internet only)
20. iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
21.  
22. # deny access to all other private networks by guests (internet only)
23. iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j REJECT
24. iptables -I FORWARD -i br0 -d 172.16.0.0/12  -m state --state NEW -j REJECT
25. iptables -I FORWARD -i br0 -d 10.0.0.0/8     -m state --state NEW -j REJECT
26.  
27. # allow access to printer on private network by guests (optional, just an example)
28. iptables -I FORWARD -i br0 -p tcp -d 192.168.1.100 --dport 9100 \
29.     -m state --state NEW -j ACCEPT