DD-WRT Startup script with host blocking (MAC-Address based) during "sleep hours"

.rc_firewall

#!/bin/sh

sleep 5;

/tmp/ebt_setup.sh
/tmp/fw_setup.sh

sleep 5;

/tmp/check_consist.sh

exit 0;

.rc_startup

#!/bin/sh

insmod /lib/modules/3.10.2/kernel/net/bridge/netfilter/ebtables.ko
insmod /lib/modules/3.10.2/kernel/net/bridge/netfilter/ebtable_filter.ko
insmod /lib/modules/3.10.2/kernel/net/bridge/netfilter/ebt_ip.ko

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

cat > /tmp/ebt_setup.sh <<EOF
#!/bin/sh

grep "\-R," /tmp/dnsmasq.conf | awk -F"=" '{ print \$2 }' | awk -F"," '{ print \$1","\$3 }' > /tmp/restricted_macaddr_hosts
cat /tmp/restricted_macaddr_hosts | awk -F"," '{ print \$1 }' > /tmp/restricted_macaddr

ebtables -F
ebtables -X
ebtables -N blocked_hosts

for HOST in \`cat /tmp/restricted_macaddr_hosts\`; do
H=\`echo \$HOST | awk -F"," '{ print \$2 }'\`
M=\`echo \$HOST | awk -F"," '{ print \$1 }'\`
ebtables -A FORWARD -p IPv4 --ip-src ! \$H -s \$M -j DROP
ebtables -A FORWARD -p IPv4 --ip-src \$H -s ! \$M -j DROP
done

for HD in \`cat /tmp/restricted_macaddr\`; do
ebtables -A blocked_hosts -s \$HD -j DROP
done
EOF

cat > /tmp/fw_setup.sh <<EOF
#!/bin/sh

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -X upnp_bl

iptables -N upnp_bl

iptables -A upnp_bl -p udp --dport 1900 -j DROP
iptables -A upnp_bl -p tcp --dport 1780 -j DROP
iptables -A upnp_bl -p tcp --dport 2869 -j DROP
iptables -A upnp_bl -p tcp --dport 5000 -j DROP
iptables -A upnp_bl -p tcp --dport 6010 -j DROP

iptables -A trigger_out -j RETURN

iptables -A INPUT -i eth0 -p tcp --dport 1900 -j DROP
iptables -A INPUT -i br0 -s 192.168.4.32/28 -j upnp_bl
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -d 192.168.4.1 --dport 22 -j ACCEPT
iptables -P INPUT DROP

iptables -P FORWARD DROP
EOF

cat > /tmp/net_disable.sh <<EOF
#!/bin/sh

ebtables -I INPUT -j blocked_hosts
ebtables -I FORWARD -j blocked_hosts

/bin/date > /tmp/net_disable.lastrun
EOF

cat > /tmp/net_enable.sh <<EOF
#!/bin/sh

ebtables -D FORWARD -j blocked_hosts
ebtables -D INPUT -j blocked_hosts

/bin/date > /tmp/net_enable.lastrun
EOF

cat > /tmp/check_consist.sh <<EOF
#!/bin/sh

makeCheck() {
TR=\`ebtables -L INPUT | grep -c blocked_hosts\`
if [ \$TR -eq 0 ]; then
/tmp/net_disable.sh
fi
}

HR=\$((\`/bin/date +"%H" | sed 's/^0//'\`))
MI=\$((\`/bin/date +"%M" | sed 's/^0//'\`))
WD=\$((\`/bin/date +"%w" | sed 's/^0//'\`))

if [ \$HR -lt 7 ]; then
#  if [ \$WD -ge 1 ] && [ \$WD -le 5 ]; then
  if [ \$WD -eq 7 ]; then
    if [[ \( \$HR -ge 1 && \$MI -ge 0 \) || \( \$HR -ge 0 && \$MI -ge 30 \) ]]; then
      makeCheck
    fi
  else
    if [ \$HR -ge 1 ] && [ \$MI -ge 30 ]; then
      makeCheck
    fi
  fi
fi

/bin/date > /tmp/check_consist.lastrun
EOF

chmod 0777 /tmp/ebt_setup.sh
chmod 0777 /tmp/fw_setup.sh
chmod 0777 /tmp/net_disable.sh
chmod 0777 /tmp/net_enable.sh
chmod 0777 /tmp/check_consist.sh

exit 0;