WiFi Routing Config by Ian

#!/bin/sh
# SVWUX WiFi router setup

# select network interfaces
wifi_if=eth0
cell_if=ppp0

# make sure routing is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward

# configure WiFi network routing
/sbin/ifconfig $wifi_if 192.168.1.2/24 up
/sbin/route add -net 192.168.2.0/24 $wifi_if

# configure iptables filtering
/sbin/service iptables stop
/sbin/iptables --flush
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables --flush -t nat
/sbin/iptables -t nat -A POSTROUTING -o $cell_if -j MASQUERADE
# start SVWUX firewall rules
/sbin/iptables --new-chain SVWUX-Firewall-1-INPUT
/sbin/iptables -A FORWARD -j SVWUX-Firewall-1-INPUT
/sbin/iptables -A INPUT -j SVWUX-Firewall-1-INPUT
# block masqdialer
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p 224 -j DROP
# allow DNS
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
# allow SSH
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# allow HTTP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# allow HTTPS (HTTP over SSL)
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# allow IMAP over SSL
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
# allow POP over SSL
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
# block NetBUI
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p udp --dport 137:139 -i $wifi_if -j DROP
# block VoIP (upstream cell provider doesn't allow it)
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p udp --dport 1731:1735 -i $wifi_if -j DROP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp --dport 1731:1735 -i $wifi_if -j DROP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p udp --dport 2271:2295 -i $wifi_if -j DROP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp --dport 2271:2295 -i $wifi_if -j DROP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p udp --dport 10000 -i $wifi_if -j DROP
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p tcp --dport 10000 -i $wifi_if -j DROP
# allow localhost interface
/sbin/iptables -A SVWUX-Firewall-1-INPUT -i lo -j ACCEPT
# Allow useful control packets (fragmentation, etc.)
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
# Limit echoes to stop ping floods
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT 
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec -j ACCEPT 
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -p icmp -i $wifi_if -m icmp --icmp-type any -j REJECT --reject-with icmp-admin-prohibited
# # Block all other control traffic
/sbin/iptables -A INPUT -p icmp -j DROP
# allow established traffic
/sbin/iptables -A SVWUX-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A SVWUX-Firewall-1-INPUT -i $wifi_if -j DROP

# start DHCP
/sbin/service dhcpd start

exit 0