#Setup bridge for guest wifi (br1) with separate subnet/dhcp
# setup virtual wifi wlan0.1
#the following rules go under administration -> scripts -> firewall then reboot after saving

#NOTE: -I inserts at the beginning be default, so restrictive rules at the top, permissive at the bottom.

#default deny guest
iptables -I FORWARD -i br1 -j DROP

#Removes guest access to physical network
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

#Removes guest access to the router's config GUI/ports
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

#guest allow dns to router
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT

#Guest - allow explicit ports
#Guest to ftp
iptables -I FORWARD -i br1 -p tcp --dport 21 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to ssh
iptables -I FORWARD -i br1 -p tcp --dport 22 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to telnet
iptables -I FORWARD -i br1 -p tcp --dport 23 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to smtp/smtp+ssl
#iptables -I FORWARD -i br1 -p tcp --dport 25 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 2525 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 465 -m state --state NEW -m limit --limit 4/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 587 -m state --state NEW -m limit --limit 4/min -j ACCEPT
#guest to pop3/ssl
iptables -I FORWARD -i br1 -p tcp --dport 110 -m state --state NEW -m limit --limit 16/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 995 -m state --state NEW -m limit --limit 16/min -j ACCEPT
#guest to imap/ssl
iptables -I FORWARD -i br1 -p tcp --dport 143 -m state --state NEW -m limit --limit 16/min -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 993 -m state --state NEW -m limit --limit 16/min -j ACCEPT
#guest http/https
iptables -I FORWARD -i br1 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -p tcp --dport 8443 -m state --state NEW -j ACCEPT

#Guest - allow established connections
iptables -I FORWARD -i br1 -m state --state RELATED,ESTABLISHED -j ACCEPT