tomato-guest-firewall.sh

1. #!/bin/sh
2. PORT_DHCP="67"
3. PORT_DNS="53"
4.  
5. STATE_NEW="-m state --state NEW"
6. REJECT="REJECT --reject-with icmp-host-prohibited"
7. REJECT_TCP="REJECT --reject-with tcp-reset"
8.  
9. # limit guests to essential router services (icmp echo/reply, dhcp, dns)
10. iptables -I INPUT         -i br1 $STATE_NEW -j $REJECT
11. iptables -I INPUT -p tcp  -i br1 $STATE_NEW -j $REJECT_TCP
12. iptables -I INPUT -p icmp -i br1 -j ACCEPT
13. iptables -I INPUT -p tcp  -i br1 --dport $PORT_DNS -j ACCEPT
14. iptables -I INPUT -p udp  -i br1 --dport $PORT_DNS -j ACCEPT
15. iptables -I INPUT -p udp  -i br1 --dport $PORT_DHCP -j ACCEPT
16.  
17. # deny access to private network by guests (internet only)
18. iptables -I FORWARD        -i br1 -o br0 $STATE_NEW -j $REJECT
19. iptables -I FORWARD -p tcp -i br1 -o br0 $STATE_NEW -j $REJECT_TCP
20.  
21. # deny access to guests by private network (optional)
22. iptables -I FORWARD        -i br0 -o br1 $STATE_NEW -j $REJECT
23. iptables -I FORWARD -p tcp -i br0 -o br1 $STATE_NEW -j $REJECT_TCP