eibgrad

ddwrt-guest-router-firewall.sh

Nov 12th, 2015
821
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. WAN_IF="$(nvram get wan_iface)"
  3. WAN_IP="$(nvram get wan_ipaddr)"
  4. WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
  5.  
  6. PORT_DHCP="67"
  7. PORT_DNS="53"
  8.  
  9. # allow administrative access from wan (prevents lockout)
  10. iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
  11.  
  12. # limit guests to essential router services (icmp, dhcp, dns)
  13. iptables -I INPUT -i br0 -j REJECT
  14. iptables -I INPUT -p icmp -i br0 -j ACCEPT
  15. iptables -I INPUT -p udp  -i br0 --dport $PORT_DHCP -j ACCEPT
  16. iptables -I INPUT -p tcp  -i br0 --dport $PORT_DNS  -j ACCEPT
  17. iptables -I INPUT -p udp  -i br0 --dport $PORT_DNS  -j ACCEPT
  18.  
  19. # deny access to private network by guests (internet only)
  20. iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
  21.  
  22. # deny access to all other private networks by guests (internet only)
  23. iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j REJECT
  24. iptables -I FORWARD -i br0 -d 172.16.0.0/12  -m state --state NEW -j REJECT
  25. iptables -I FORWARD -i br0 -d 10.0.0.0/8     -m state --state NEW -j REJECT
  26.  
  27. # allow access to printer on private network by guests (optional, just an example)
  28. iptables -I FORWARD -i br0 -p tcp -d 192.168.1.100 --dport 9100 \
  29.     -m state --state NEW -j ACCEPT
RAW Paste Data