Firewall configuration

I like routers that can be flashed with DD-WRT or OpenWRT open source operating systems, like the famous Linksys WRT54GL or - when it comes to newer ones :-) - TP-LINK WR1043ND, a realy nice and cheap gigabit ethernet wireless N router.

I often use the VLAN features of these boxes to create a guest (W)LAN for example, which has to be seperated from the production (W)LAN then. This can be easily done by setting the correct firewall rules in *WRT software. For example we have a br0 interface (eth1 and vlan0 bridged) for the production LAN, a vlan 1 for WAN access and a vlan 2 for guest (W)LAN.


# prohibit router access from guest vlan
iptables -I INPUT -i vlan2 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP


# allow internet access for production vlan
iptables -I FORWARD 1 -i br0 -o vlan1 -j ACCEPT


# deny access from production to guest vlan
iptables -I FORWARD 2 -i br0 -o vlan2 -j DROP


# deny access from guest to production vlan
iptables -I FORWARD 3 -i vlan2 -o br0 -j DROP


# allow internet access for guest vlan
iptables -I FORWARD 4 -i vlan2 -o vlan1 -j ACCEPT


#what's not allowed is forbidden
iptables -I FORWARD 5 -i ANY -o ANY -j DROP