tomato-ap-firewall.sh

#!/bin/sh
(
set -x # uncomment/comment to enable/disable debug mode

# private network (br0)
LAN_IP="$(nvram get lan_ipaddr)"
LAN_NET="$LAN_IP/$(nvram get lan_netmask)"

# guest network (br1)
LAN1_IP="$(nvram get lan1_ipaddr)"
LAN1_NET="$LAN1_IP/$(nvram get lan1_netmask)"

PORT_DHCP="67"
PORT_DNS="53"
PORT_CP="$(nvram get NC_GatewayPort)" # nocatsplash captive portal
PORT_LPT="9100"

ipt() {
    local rule="$@"

    # precede insert/append w/ deletion to avoid dups
    iptables ${rule/-[IA]/-D} 2>/dev/null
    iptables $rule
}

# limit guests to essential router services
ipt -I INPUT -i br1 -j REJECT
ipt -I INPUT -p icmp -i br1 -j ACCEPT
ipt -I INPUT -p tcp -i br1 --dport $PORT_DNS -j ACCEPT
ipt -I INPUT -p udp -i br1 --dport $PORT_DNS -j ACCEPT
ipt -I INPUT -p udp -i br1 --dport $PORT_DHCP -j ACCEPT

# allow access (redirect) to nocatsplash captive portal by guests
[ $PORT_CP ] && ipt -I INPUT -i br1 -p tcp --dport $PORT_CP -j ACCEPT

# move state rules of INPUT chain back to the top
ipt -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ipt -I INPUT -m state --state INVALID -j DROP

# allow routing through private network by guests
ipt -I FORWARD -i br1 -o br0 -j ACCEPT

# deny access to destinations on the private network by guests
ipt -I FORWARD -i br1 -d $LAN_NET -j REJECT

# deny access to all other private networks by guests
ipt -I FORWARD -i br1 -d 192.168.0.0/16 -j REJECT
ipt -I FORWARD -i br1 -d 172.16.0.0/12 -j REJECT
ipt -I FORWARD -i br1 -d 10.0.0.0/8 -j REJECT

# allow access to workgroup/network printer(s) of private network by guests
ipt -I FORWARD -p tcp -i br1 --dport $PORT_LPT -j ACCEPT

# move state rules of FORWARD chain back to the top
ipt -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ipt -I FORWARD -m state --state INVALID -j DROP

# nat the guest network over the private network
ipt -t nat -A POSTROUTING -s $LAN1_NET -o br0 -j SNAT --to $LAN_IP

) 2>&1 | logger -t $(basename $0)[$$]