Here’s the project:
Secure a wireless access point for vendors/non-work-computers to use. Disallow access to anything that eats up bandwidth – it’s supposed to be a tool and not a play thing.

Background:
A primary internet connection has 62 public IP addresses. One is pointed to a WRT54-G (v1) router. I installed dd-wrt (v24 preSP2 build 13064) and configured accordingly. I signed up for OpenDNS service to block all the “bad stuff”.

Problem:
Merely putting in the DNS information into the DHCP server is not enough. Any savvy tech user can add their own DNS information into the equation and go from there. I needed a way to block DNS (port 53) on the router side of things so that no outside influences could bypass the security. DD-WRT was configured to block port 53, but that didn’t really work out too well. So I ended up adding my own iptable chain to the router not to block other DNS, but to force it to go through the router’s DNS. Makes things easier in the long run.

Solution:

Log into the router
Click on the Administration Tab
Click on the Commands Tab
In the commands box, paste the following:
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Click Save Firewall

After it reboots, test it out. Use 4.2.2.2 as a test DNS server to verify. Awesome, I know.

Security:
WRT54-G running DD-WRT with a non-standard password
SSID is not being broadcast
WPA2 Personal with AES Encryption
WRT54-G is connected to a portion of the main internet pipe on a public IP but is VLAN’d off from the rest of the network
DD-WRT admin access is not allowed over the WLAN
OpenDNS is blocking almost all access
DD-WRT does NOT allow connections before 7AM, after 7PM, or on weekends
I’m wearing pants

OK, had to lighten the mood a little bit. But that’s the gist of it.