Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DD-WRT Firewall Script
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Restrict br1 from accessing br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#Restrict br1 from accessing the WAN subnet
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
#Block br1 from accessing Skype authentication servers
iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
iptables -I FORWARD -i br1 -d 111.221.77.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.130.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.235.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.56.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.56.52.0/24 -j DROP
iptables -I FORWARD -i br1 -d 194.165.188.0/24 -j DROP
iptables -I FORWARD -i br1 -d 195.46.253.0/24 -j DROP
iptables -I FORWARD -i br1 -d 213.199.179.0/24 -j DROP
iptables -I FORWARD -i br1 -d 63.245.217.0/24 -j DROP
iptables -I FORWARD -i br1 -d 64.4.23.0/24 -j DROP
iptables -I FORWARD -i br1 -d 65.55.223.0/24 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment