## wan: vlan1## lan: br0## wifi: eth1## permit incoming connections from

1. ## wan: vlan1
2. ## lan: br0
3. ## wifi: eth1
4. ## permit incoming connections from WLAN
5. iptables -I INPUT 2 -i eth1 -m state --state NEW -j logaccept
6. ## fixup forwarding table
7. ## the lan2wan target didn't work for me, replace it with straight accept
8. iptables -R FORWARD 5 -i br0 -o vlan1 -j ACCEPT
9. ## permit WLAN -> WAN
10. iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT
11. ## disallow WLAN -> LAN
12. iptables -I FORWARD 7 -i eth1 -o br0 -m state --state NEW -j DROP
13. ## disallow LAN -> WLAN
14. iptables -I FORWARD -i br0 -o eth1 -m state --state NEW -j DROP
15. ## disallow WLAN -> WAN subnet
16. iptables -I FORWARD -i eth1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
17. ## disallow WLAN -> direct router access
18. iptables -I INPUT -i eth1 -m state --state NEW -j DROP
19. ## Allow WLAN -> DHCP on the router
20. iptables -I INPUT -i eth1 -p udp --dport 67 -j ACCEPT
21. ## Allow WLAN -> DNS on the router
22. iptables -I INPUT -i eth1 -p udp --dport 53 -j ACCEPT
23. iptables -I INPUT -i eth1 -p tcp --dport 53 -j ACCEPT