eibgrad

ddwrt-guest-firewall.sh

Jan 18th, 2016
671
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. GUEST_NET="192.168.2.0/24" # <-- must match guest ip network
  3. GUEST_IF="br1" # <-- must match guest network interface (br1, wl0.1, etc.)
  4.  
  5. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
  6.  
  7. PORT_DHCP="67"
  8. PORT_DNS="53"
  9.  
  10. # limit guests to essential router services (icmp, dns, dhcp)
  11. iptables -I INPUT -i $GUEST_IF -j REJECT
  12. iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
  13. iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
  14. iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
  15. iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
  16.  
  17. # deny access to private network by guests (internet only)
  18. iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT
  19.  
  20. # allow access to printer on private network (optional, just an example)
  21. iptables -I FORWARD -i $GUEST_IF -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
  22.     -m state --state NEW -j ACCEPT
  23.  
  24. # deny access to guests by private network (optional)
  25. iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j REJECT
  26.  
  27. # nat guest network over WAN (internet)
  28. iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j MASQUERADE
RAW Paste Data