# Open Port remote access to BlueIRIS Server 10.10.5.141:7000
iptables -t nat -A PREROUTING -d $(nvram get wan_ipaddr) -p tcp -m tcp --dport 7000 -j DNAT --to-destination 10.10.5.141:7000
iptables -I FORWARD -p tcp -d 10.10.5.141 --dport 7000 -j ACCEPT

# Open Port Minecraft Server 10.10.5.139:25565
iptables -t nat -A PREROUTING -d $(nvram get wan_ipaddr) -p tcp -m tcp --dport 25565 -j DNAT --to-destination 10.10.5.139:25565
iptables -I FORWARD -p tcp -d 10.10.5.139 --dport 25565 -j ACCEPT

# Set DNS to Apple TV Device only
unblockus=208.122.23.23
iptables -t nat -I PREROUTING -p udp -s 10.10.5.100 --dport 53 -j DNAT --to $unblockus
iptables -t nat -I PREROUTING -p tcp -s 10.10.5.100 --dport 53 -j DNAT --to $unblockus

# ###########################################################################
ODNS1=208.67.222.222
ODNS2=208.67.220.220
# Force use of OpenDNS for clients
iptables -t nat -A PREROUTING -p udp -i br0 -s 10.10.5.147 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.10.5.147 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p udp -i br0 -s 10.10.5.101 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.10.5.101 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p udp -i br0 -s 10.10.5.113 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.10.5.113 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
iptables -t nat -A PREROUTING -p udp -i br0 -s 10.10.5.139 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2 
iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.10.5.139 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2

# For PS3 Game Console
iptables -t nat -A PREROUTING -p udp -i vlan4 -s 10.10.10.11 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2 
iptables -t nat -A PREROUTING -p tcp -i vlan4 -s 10.10.10.11 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2

# For all Guest Network, br1
iptables -t nat -A PREROUTING -p udp -i br1 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2 
iptables -t nat -A PREROUTING -p tcp -i br1 --dport 53 -j DNAT --to $ODNS1 --to $ODNS2
# ###########################################################################

LAN_IP="$(nvram get lan_ipaddr)" 
LAN_NET="$LAN_IP/$(nvram get lan_netmask)"

#Restricts br1 from accessing br0, vlan4 & vice-versa (br0=main network subnet, br1=guest wireless)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o vlan4 -m state --state NEW -j DROP
iptables -I FORWARD -i vlan4 -o br1 -m state --state NEW -j DROP

# Limit guests to essential router services 
#iptables -I INPUT -i br1 -d $LAN_IP -j DROP

# Allow Guest (br1) to access DNS on the router & DHCP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT  

# Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 25 -j DROP

# Deny access to private network by guests (internet only) 
iptables -I FORWARD -i br1 -d $LAN_NET -m state --state NEW -j DROP

# Allow Guest (br1) interface to the Main Network Printer
iptables -I FORWARD -i br1 -d 10.10.5.200 -j ACCEPT

# Deny access to all other private networks by guests (internet only) 
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP 
iptables -I FORWARD -i br1 -d 172.16.0.0/16 -m state --state NEW -j DROP 
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP 

# Enable NAT on guest network (only necessary if not using static route on primary router) 
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to $LAN_IP

#Restricts vlan4 from accessing br0 & vice-versa (br1=guest wireless, br0=main network subnet)
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

# Allow (vlan4) to access DNS on the router & DHCP
iptables -I INPUT -i vlan4 -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I INPUT -i vlan4 -p tcp --dport 53 -j ACCEPT

# Allow one device from vlan4 to access Router Configurations, telnet, ssh
iptables -I INPUT -s 10.10.10.13 -j ACCEPT

# Enable DMZ to single device residing on interface vlan4
iptables -t nat -A PREROUTING -d $(nvram get wan_ipaddr) -j DNAT --to-destination 10.10.10.11
iptables -I FORWARD -o vlan4 -d 10.10.10.11 -j ACCEPT

# Block mass Telnet,SSH,FTP spamming, if you see more than (n) incoming ssh attempts within a (m) interval it will start dropping connections
wanf=`get_wanface` 
iptables -N bruteprotect 
iptables -A bruteprotect -m recent --set --name BRUTEFORCE --rsource 
iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 3 --name BRUTEFORCE --rsource -j RETURN 
iptables -A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options 
iptables -A bruteprotect -j DROP 
iptables -I INPUT 3 -i $wanf -p tcp -m tcp --dport 21:23 -j bruteprotect 
iptables -I INPUT 3 -i $wanf -p tcp --dport 21 -j logaccept 
iptables -I FORWARD 4 -i $wanf -p tcp -m tcp --dport 21:23 -j bruteprotect 
iptables -D FORWARD `iptables --line-numbers -nL FORWARD | grep ESTABLISHED | tail -n1 | awk '{print $1}'` 
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Website Blocks
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[ZOOSK DROP] : '
iptables -A LOG_DROP -j DROP
iptables -I FORWARD -m tcp -p tcp -d www.zoosk.com --dport 443 -j LOG_DROP
iptables -I FORWARD -d www.zoosk.ca -j LOG_DROP