SHARE
TWEET

tomato-ap-firewall.sh

eibgrad Mar 25th, 2015 (edited) 1,677 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. (
  3. set -x # uncomment/comment to enable/disable debug mode
  4.  
  5. # private network (br0)
  6. LAN_IP="$(nvram get lan_ipaddr)"
  7. LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
  8.  
  9. # guest network (br1)
  10. LAN1_IP="$(nvram get lan1_ipaddr)"
  11. LAN1_NET="$LAN1_IP/$(nvram get lan1_netmask)"
  12.  
  13. PORT_DHCP="67"
  14. PORT_DNS="53"
  15. PORT_CP="$(nvram get NC_GatewayPort)" # nocatsplash captive portal
  16. PORT_LPT="9100"
  17.  
  18. ipt() {
  19.     # precede insert/append w/ deletion to avoid dups
  20.     iptables ${@/-[IA]/-D} 2> /dev/null
  21.     iptables $@
  22. }
  23.  
  24. # limit guests to essential router services
  25. ipt -I INPUT -i br1 -j REJECT
  26. ipt -I INPUT -p icmp -i br1 -j ACCEPT
  27. ipt -I INPUT -p tcp -i br1 --dport $PORT_DNS -j ACCEPT
  28. ipt -I INPUT -p udp -i br1 --dport $PORT_DNS -j ACCEPT
  29. ipt -I INPUT -p udp -i br1 --dport $PORT_DHCP -j ACCEPT
  30.  
  31. # allow access (redirect) to nocatsplash captive portal by guests
  32. [ $PORT_CP ] && ipt -I INPUT -i br1 -p tcp --dport $PORT_CP -j ACCEPT
  33.  
  34. # move state rules of INPUT chain back to the top
  35. ipt -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  36. ipt -I INPUT -m state --state INVALID -j DROP
  37.  
  38. # allow routing through private network by guests
  39. ipt -I FORWARD -i br1 -o br0 -j ACCEPT
  40.  
  41. # deny access to destinations on the private network by guests
  42. ipt -I FORWARD -i br1 -d $LAN_NET -j REJECT
  43.  
  44. # deny access to all other private networks by guests
  45. ipt -I FORWARD -i br1 -d 192.168.0.0/16 -j REJECT
  46. ipt -I FORWARD -i br1 -d 172.16.0.0/12 -j REJECT
  47. ipt -I FORWARD -i br1 -d 10.0.0.0/8 -j REJECT
  48.  
  49. # allow access to workgroup/network printer(s) of private network by guests
  50. ipt -I FORWARD -p tcp -i br1 --dport $PORT_LPT -j ACCEPT
  51.  
  52. # move state rules of FORWARD chain back to the top
  53. ipt -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  54. ipt -I FORWARD -m state --state INVALID -j DROP
  55.  
  56. # nat the guest network over the private network
  57. ipt -t nat -A POSTROUTING -s $LAN1_NET -o br0 -j SNAT --to $LAN_IP
  58.  
  59. ) 2>&1 | logger -t $(basename $0)[$$]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top