Last active
December 15, 2015 07:49
-
-
Save pgroudas/5225959 to your computer and use it in GitHub Desktop.
dd-wrt firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ---------------------- | |
#--- IPTABLES START --- | |
# ---------------------- | |
# | |
# DEFINES: | |
LAN_IP=$(nvram get lan_ipaddr) | |
WAN_IP=$(nvram get wan_ipaddr) | |
# --- | |
# Create ALL_ACCEPT chain: | |
iptables -N ALL_ACCEPT | |
iptables -P ALL_ACCEPT ACCEPT | |
# Insert ALL_ACCEPT chain on top of INPUT rules: | |
iptables -I INPUT -j ALL_ACCEPT | |
# Create NAT_ACCEPT chain: | |
iptables -N NAT | |
iptables -P NAT ACCEPT | |
# Insert NAT chain on top of INPUT and FORWARD rules: | |
iptables -I INPUT -j NAT | |
iptables -I FORWARD -j NAT | |
# --- | |
# private subnets (anything FROM these subnets) | |
iptables -A ALL_ACCEPT -s 192.168.0.0/16 -j ACCEPT | |
# Allowing any remote IP subnets to access DD-WRT: | |
iptables -A ALL_ACCEPT -s xxx.xxx.xxx.xxx -j ACCEPT | |
# --- | |
# WebAdmin (please disable DD-WRT Remote Access feature from the web interface | |
# if you are only allowing the above IP's) | |
iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to-destination $LAN_IP:443 | |
# WebAdmin (Allow from all IP's) | |
#iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to $LAN_IP:443 | |
#iptables -I NAT -p tcp -d $WAN_IP --dport 443 -j ACCEPT | |
# SSH | |
#iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22 | |
# SSH (Allow from all IP's) | |
#iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22 | |
#iptables -I NAT -p tcp -d 192.168.1.21 --dport 22 -j ACCEPT | |
# --- | |
# SERVER ssh for servers inside DD-WRT network (you can migrate your rules from | |
# the DD-WRT Port Forwarding rules here if you are only allowing access from above IP's) | |
iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 22 -j DNAT --to-destination 10.1.1.30:22 | |
iptables -I NAT -p tcp -d 10.1.1.30 --dport 22 -j ACCEPT | |
# Block youtube cdn's that TWC throttles | |
iptables -I FORWARD -s 192.168.1.0/24 -d 206.111.0.0/21 -j REJECT | |
iptables -I FORWARD -s 192.168.1.0/24 -d 206.111.8.0/22 -j REJECT | |
iptables -I FORWARD -s 192.168.1.0/24 -d 206.111.12.0/23 -j REJECT | |
iptables -I FORWARD -s 192.168.1.0/24 -d 173.194.55.0/24 -j REJECT | |
#UNDO | |
#iptables -D FORWARD -s 192.168.1.0/24 -d 206.111.0.0/16 -j REJECT | |
#etc | |
# --------------------- | |
#--- IPTABLES END --- | |
# --------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment