eibgrad

tomato-ap-firewall.sh

Mar 25th, 2015 (edited)
2,191
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. (
  3. set -x # uncomment/comment to enable/disable debug mode
  4.  
  5. # private network (br0)
  6. LAN_IP="$(nvram get lan_ipaddr)"
  7. LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
  8.  
  9. # guest network (br1)
  10. LAN1_IP="$(nvram get lan1_ipaddr)"
  11. LAN1_NET="$LAN1_IP/$(nvram get lan1_netmask)"
  12.  
  13. PORT_DHCP="67"
  14. PORT_DNS="53"
  15. PORT_CP="$(nvram get NC_GatewayPort)" # nocatsplash captive portal
  16. PORT_LPT="9100"
  17.  
  18. ipt() {
  19.     local rule="$@"
  20.  
  21.     # precede insert/append w/ deletion to avoid dups
  22.     iptables ${rule/-[IA]/-D} 2>/dev/null
  23.     iptables $rule
  24. }
  25.  
  26. # limit guests to essential router services
  27. ipt -I INPUT -i br1 -j REJECT
  28. ipt -I INPUT -p icmp -i br1 -j ACCEPT
  29. ipt -I INPUT -p tcp -i br1 --dport $PORT_DNS -j ACCEPT
  30. ipt -I INPUT -p udp -i br1 --dport $PORT_DNS -j ACCEPT
  31. ipt -I INPUT -p udp -i br1 --dport $PORT_DHCP -j ACCEPT
  32.  
  33. # allow access (redirect) to nocatsplash captive portal by guests
  34. [ $PORT_CP ] && ipt -I INPUT -i br1 -p tcp --dport $PORT_CP -j ACCEPT
  35.  
  36. # move state rules of INPUT chain back to the top
  37. ipt -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  38. ipt -I INPUT -m state --state INVALID -j DROP
  39.  
  40. # allow routing through private network by guests
  41. ipt -I FORWARD -i br1 -o br0 -j ACCEPT
  42.  
  43. # deny access to destinations on the private network by guests
  44. ipt -I FORWARD -i br1 -d $LAN_NET -j REJECT
  45.  
  46. # deny access to all other private networks by guests
  47. ipt -I FORWARD -i br1 -d 192.168.0.0/16 -j REJECT
  48. ipt -I FORWARD -i br1 -d 172.16.0.0/12 -j REJECT
  49. ipt -I FORWARD -i br1 -d 10.0.0.0/8 -j REJECT
  50.  
  51. # allow access to workgroup/network printer(s) of private network by guests
  52. ipt -I FORWARD -p tcp -i br1 --dport $PORT_LPT -j ACCEPT
  53.  
  54. # move state rules of FORWARD chain back to the top
  55. ipt -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  56. ipt -I FORWARD -m state --state INVALID -j DROP
  57.  
  58. # nat the guest network over the private network
  59. ipt -t nat -A POSTROUTING -s $LAN1_NET -o br0 -j SNAT --to $LAN_IP
  60.  
  61. ) 2>&1 | logger -t $(basename $0)[$$]
RAW Paste Data