AP isolation - noob

[Fuelrod]

I'm really trying hard but I'm a noob when it comes to shell scripts. I'm trying to create just basic isolation from the LAN on my guest network when my router is in AP mode. I followed this go by in this thread.

My script for services-start.sh is as follows with my LAN MAC address for the upstream router inserted for xx:xx:xx... :

#!\bin\sh

#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

I don't know if the script is executing or not on a reboot but if I execute is manually I get the following:

fuelrod@RT-AC88U:/jffs/scripts# sh services-start.sh
: not foundart.sh: line 2:
: not foundart.sh: line 5:
'.legal target name 'ACCEPT
'.legal target name 'ACCEPT
'.legal target name 'ACCEPT
'.legal target name 'DROP
The specified rule number is incorrect.

A couple of noob questions:
1) The services-start script does need the ".sh" on the end of it, correct?
2) Is there a way to tell if my 2.4GHz first guest network is really wl0.1 or is that just default
3) I don't really understand what the numbers are after the FORWARD command

Any help is appreciated. I don't care if my LAN clients see my guests at this point, I just don't want my guests to see anyone on the LAN but still have access to the internet.

 

[ColinTaylor]

1) services-start does not have ".sh" on the end.

The first line of your script is wrong. It should be:

#!/bin/sh

2) Yes, wl0.1 is the fist 2.4GHz guest network

 

[Fuelrod]

1) services-start does not have ".sh" on the end.

The first line of your script is wrong. It should be:

#!/bin/sh

2) Yes, wl0.1 is the fist 2.4GHz guest network

Thank you for the correction, to many years working with DOS. So I made the changes and it still gives me the same output if I manually execute the script. I also don't think its running automatically when I reboot the router. I added the "touch /tmp/000wanstarted" command and if I run it manually the "000wanstarted" file is created in the /tmp directory. When I reboot the router the "000wanstarted" file in NOT created in the /tmp directory.

#!/bin/sh

touch /tmp/000wanstarted

#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

fuelrod@RT-AC88U:/jffs/scripts# sh services-start
: not foundart: line 2:
: not foundart: line 4:
: not foundart: line 7:
'.legal target name 'ACCEPT
'.legal target name 'ACCEPT
'.legal target name 'ACCEPT
'.legal target name 'DROP
The specified rule number is incorrect.

 

[dave14305]

Try running these commands first to cleanup the script then try again.

dos2unix /jffs/scripts/services-start
chmod u+x /jffs/scripts/services-start

There’s some crud in your blank lines for sure.

 

[Fuelrod]

Try running these commands first to cleanup the script then try again.

dos2unix /jffs/scripts/services-start
chmod u+x /jffs/scripts/services-start

There’s some crud in your blank lines for sure.

That worked like a charm. Thank you very much!

 

[Wadadli]

That worked like a charm. Thank you very much!

Just FYI
You had carriage returns in your script. Next time use something like Notepad++ (in linux mode) to create your scripts. This way you do not need to do "dos2unix".