supermarsx · February 4, 2024 00:01
diff --git a/iptables-notes-tomato.txt b/iptables-notes-tomato.txt
 iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to 10.0.0.1
 iptables -I FORWARD -i br1 -o br0 -j ACCEPT
 iptables -I FORWARD -i br0 -o br1 -j ACCEPT

 iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP


 iptables -A FORWARD -i br1 -o br0 -m state --state NEW -j DROP
 iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 80,443,22,23 -j DROP
 iptables -I INPUT -i br1 -p 192.168.0.0/24 -j DROP
 iptables -I INPUT -i br1 -p 192.168.1.0/24 -j DROP
 iptables -I INPUT -i br1 -p 192.168.2.0/24 -j DROP


 iptables -I INPUT -i br1 -p 192.168.0.0/24 -m multiport --dport 22,23,443,80 -j DROP
 iptables -I INPUT -i br1 -p 192.168.1.0/24 -m multiport --dport 22,23,443,80 -j DROP
 iptables -I INPUT -i br1 -p 192.168.2.0/24 -m multiport --dport 22,23,443,80 -j DROP

 iptables -t filter -I FORWARD 1 -i br1 -o br0 ! -d 192.168.0.0/24 -j ACCEPT
 iptables -t filter -I FORWARD 2 -i br0 -o br1 ! -s 192.168.0.0/24 -j ACCEPT

 ~
 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
 iptables -t nat -I POSTROUTING -o br1 -j SNAT --to `nvram get lan_ipaddr`

 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT

 iptables -I INPUT -i br1 -m state --state NEW -j REJECT
 iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT


 #!/bin/sh
 LAN_IP="$(nvram get lan_ipaddr)"
 LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
 PRIVATE_IF="br0"
 GUEST_IF="br1"
 
 PORT_DHCP="67"
 PORT_DNS="53"
 
 STATE_NEW="-m state --state NEW"
 REJECT="REJECT --reject-with icmp-host-prohibited"
 REJECT_TCP="REJECT --reject-with tcp-reset"

 # limit guests to essential router services (icmp (echo/reply), dhcp, dns)
 iptables -I INPUT         -i $GUEST_IF -j $REJECT
 iptables -I INPUT -p tcp  -i $GUEST_IF -j $REJECT_TCP
 iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
 iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
 iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
 iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT

 # deny access to private network by guests (internet only)
 iptables -I FORWARD        -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT
 iptables -I FORWARD -p tcp -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT_TCP
	iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to 10.0.0.1
	iptables -I FORWARD -i br1 -o br0 -j ACCEPT
	iptables -I FORWARD -i br0 -o br1 -j ACCEPT

	iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
	iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
	iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP


	iptables -A FORWARD -i br1 -o br0 -m state --state NEW -j DROP
	iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 80,443,22,23 -j DROP
	iptables -I INPUT -i br1 -p 192.168.0.0/24 -j DROP
	iptables -I INPUT -i br1 -p 192.168.1.0/24 -j DROP
	iptables -I INPUT -i br1 -p 192.168.2.0/24 -j DROP


	iptables -I INPUT -i br1 -p 192.168.0.0/24 -m multiport --dport 22,23,443,80 -j DROP
	iptables -I INPUT -i br1 -p 192.168.1.0/24 -m multiport --dport 22,23,443,80 -j DROP
	iptables -I INPUT -i br1 -p 192.168.2.0/24 -m multiport --dport 22,23,443,80 -j DROP

	iptables -t filter -I FORWARD 1 -i br1 -o br0 ! -d 192.168.0.0/24 -j ACCEPT
	iptables -t filter -I FORWARD 2 -i br0 -o br1 ! -s 192.168.0.0/24 -j ACCEPT

	~
	iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
	iptables -t nat -I POSTROUTING -o br1 -j SNAT --to `nvram get lan_ipaddr`

	iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT

	iptables -I INPUT -i br1 -m state --state NEW -j REJECT
	iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT


	#!/bin/sh
	LAN_IP="$(nvram get lan_ipaddr)"
	LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
	PRIVATE_IF="br0"
	GUEST_IF="br1"

	PORT_DHCP="67"
	PORT_DNS="53"

	STATE_NEW="-m state --state NEW"
	REJECT="REJECT --reject-with icmp-host-prohibited"
	REJECT_TCP="REJECT --reject-with tcp-reset"

	# limit guests to essential router services (icmp (echo/reply), dhcp, dns)
	iptables -I INPUT -i $GUEST_IF -j $REJECT
	iptables -I INPUT -p tcp -i $GUEST_IF -j $REJECT_TCP
	iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
	iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
	iptables -I INPUT -p tcp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT
	iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT

	# deny access to private network by guests (internet only)
	iptables -I FORWARD -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT
	iptables -I FORWARD -p tcp -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT_TCP