Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- WAN_IF="$(nvram get wan_iface)"
- WAN_IP="$(nvram get wan_ipaddr)"
- WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
- PORT_DHCP="67"
- PORT_DNS="53"
- # allow administrative access from wan (prevents lockout)
- iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
- # limit guests to essential router services (icmp, dhcp, dns)
- iptables -I INPUT -i br0 -j REJECT
- iptables -I INPUT -p icmp -i br0 -j ACCEPT
- iptables -I INPUT -p udp -i br0 --dport $PORT_DHCP -j ACCEPT
- iptables -I INPUT -p tcp -i br0 --dport $PORT_DNS -j ACCEPT
- iptables -I INPUT -p udp -i br0 --dport $PORT_DNS -j ACCEPT
- # deny access to private network by guests (internet only)
- iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
- # deny access to all other private networks by guests (internet only)
- iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j REJECT
- iptables -I FORWARD -i br0 -d 172.16.0.0/12 -m state --state NEW -j REJECT
- iptables -I FORWARD -i br0 -d 10.0.0.0/8 -m state --state NEW -j REJECT
- # allow access to printer on private network by guests (optional, just an example)
- iptables -I FORWARD -i br0 -p tcp -d 192.168.1.100 --dport 9100 \
- -m state --state NEW -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
