API tools faq
paste
View difference between Paste ID: r4u62P0B and VWuQ7vLN
SHOW: | | - or go back to the newest paste.
1
#!/bin/sh
2
GUEST_NET="192.168.2.0/24" # <-- must match guest ip network
3
GUEST_IF="br1" # <-- must match guest network interface (br1, wl0.1, etc.)
4
5-
STATE_NEW="-m state --state NEW"

5+
WAN_IF="$(ip route | awk '/^default/{print $NF}')"

6-
REJECT="REJECT --reject-with icmp-host-prohibited"

6+
7-
REJECT_TCP="REJECT --reject-with tcp-reset"

7+
8
PORT_DNS="53"

9-
# limit guests to essential router services (icmp echo/reply, dhcp, dns)

9+
10-
iptables -I INPUT         -i br1 $STATE_NEW -j $REJECT

10+
# limit guests to essential router services (icmp, dns, dhcp)

11-
iptables -I INPUT -p tcp  -i br1 $STATE_NEW -j $REJECT_TCP

11+
iptables -I INPUT -i $GUEST_IF -j REJECT

12-
iptables -I INPUT -p icmp -i br1 -j ACCEPT

12+
iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT

13-
iptables -I INPUT -p tcp  -i br1 --dport $PORT_DNS -j ACCEPT

13+
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT

14-
iptables -I INPUT -p udp  -i br1 --dport $PORT_DNS -j ACCEPT

14+
iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT

15-
iptables -I INPUT -p udp  -i br1 --dport $PORT_DHCP -j ACCEPT

15+
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT

16
17
# deny access to private network by guests (internet only)

18-
iptables -I FORWARD        -i br1 -o br0 $STATE_NEW -j $REJECT

18+
iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT

19-
iptables -I FORWARD -p tcp -i br1 -o br0 $STATE_NEW -j $REJECT_TCP

19+
20
# allow access to printer on private network (optional, just an example)

21
iptables -I FORWARD -i $GUEST_IF -o br0 -p tcp -d 192.168.1.100 --dport 9100 \

22-
iptables -I FORWARD        -i br0 -o br1 $STATE_NEW -j $REJECT

22+
    -m state --state NEW -j ACCEPT

23-
iptables -I FORWARD -p tcp -i br0 -o br1 $STATE_NEW -j $REJECT_TCP
23+
24
# deny access to guests by private network (optional)

25
iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j REJECT

26
27
# nat guest network over WAN (internet)

28
iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j MASQUERADE
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!