stevejenkins/firewall_skype.sh

## firewall_skype.sh
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#Restrict br1 from accessing br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

#Restrict br1 from accessing the WAN subnet
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP

#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

#Block br1 from accessing Skype authentication servers
iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
iptables -I FORWARD -i br1 -d 111.221.77.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.130.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.235.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.55.56.0/24 -j DROP
iptables -I FORWARD -i br1 -d 157.56.52.0/24 -j DROP
iptables -I FORWARD -i br1 -d 194.165.188.0/24 -j DROP
iptables -I FORWARD -i br1 -d 195.46.253.0/24 -j DROP
iptables -I FORWARD -i br1 -d 213.199.179.0/24 -j DROP
iptables -I FORWARD -i br1 -d 63.245.217.0/24 -j DROP
iptables -I FORWARD -i br1 -d 64.4.23.0/24 -j DROP
iptables -I FORWARD -i br1 -d 65.55.223.0/24 -j DROP
	#Enable NAT on the WAN port to correct a bug in builds over 17000
	iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

	#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
	iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
	iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

	#Restrict br1 from accessing br0
	iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

	#Restrict br1 from accessing the WAN subnet
	iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

	#Restrict br1 from accessing the router's local sockets
	iptables -I INPUT -i br1 -m state --state NEW -j DROP

	#Allow br1 to access DHCP on the router
	iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

	#Allow br1 to access DNS on the router
	iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
	iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

	#Block br1 from accessing Skype authentication servers
	iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 111.221.77.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 157.55.130.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 157.55.235.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 157.55.56.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 157.56.52.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 194.165.188.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 195.46.253.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 213.199.179.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 63.245.217.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 64.4.23.0/24 -j DROP
	iptables -I FORWARD -i br1 -d 65.55.223.0/24 -j DROP