ddwrt-guest-firewall.sh

#!/bin/sh
GUEST_NET="192.168.2.0/24" # <-- must match guest ip network
GUEST_IF="br1" # <-- must match guest network interface (br1, wl0.1, etc.)

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

PORT_DHCP="67"
PORT_DNS="53"

# limit guests to essential router services (icmp, dns, dhcp)
iptables -I INPUT -i $GUEST_IF -j REJECT
iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT

# deny access to private network by guests (internet only)
iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT

# allow access to printer on private network (optional, just an example)
iptables -I FORWARD -i $GUEST_IF -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
    -m state --state NEW -j ACCEPT

# deny access to guests by private network (optional)
iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j REJECT

# nat guest network over WAN (internet)
iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j MASQUERADE