One may find himself in the face of this scenario: you have a friend’s infected computer over for cleanup and you need internet access on it to install/run cleanup utilities; but you don’t want it to continue it’s spamming of the internet (and get your public IP blacklisted or even blocked).
Using a router running DD-WRT, this is easy to do using custom firewall rules. For example, to allow trusted hosts 10.0.0.1 and 10.0.0.2 and block any other host on the local network from connecting to outgoing port 25 (SMTP) to send spam emails, you can add the following rules in DD-WRT’s firewall script:
# disable SMTP for untrusted hosts
iptables -I FORWARD 1 -p tcp -s 10.0.0.1 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 10.0.0.2 --dport 25 -j ACCEPT
iptables -I FORWARD 3 -p tcp -s 10.0.0.3 --dport 25 -j ACCEPT
iptables -I FORWARD 4 -p tcp -s 10.0.0.0/24 --dport 25 -j REJECT
The firewall script is editable via Administration » Commands » Firewall. Click Edit in the Firewall section then paste/edit the rules in the Command Shell box above. When done, click the Save Firewall button. This will save and reboot the router.
Remember to test the rules via the console before making them final (to avoid locking yourself out of the router or writing broken rules).