ddwrt-guest-firewall.sh

1. #!/bin/sh
2. GUEST_NET="192.168.2.0/24" # <-- must match guest ip network
3. GUEST_IF="br1" # <-- must match guest network interface (br1, wl0.1, etc.)
4.  
5. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
6.  
7. PORT_DHCP="67"
8. PORT_DNS="53"
9.  
10. # limit guests to essential router services (icmp, dns, dhcp)
11. iptables -I INPUT -i $GUEST_IF -j REJECT
12. iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
13. iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
14. iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
15. iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
16.  
17. # deny access to private network by guests (internet only)
18. iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT
19.  
20. # allow access to printer on private network (optional, just an example)
21. iptables -I FORWARD -i $GUEST_IF -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
22.     -m state --state NEW -j ACCEPT
23.  
24. # deny access to guests by private network (optional)
25. iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j REJECT
26.  
27. # nat guest network over WAN (internet)
28. iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j MASQUERADE