firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix errors on rules for unify controllers.

Browse Source
This commit is contained in:
Christoph 2017-04-21 17:06:19 +02:00
parent c7b8effe17
commit 0c55b9afe0
4 changed files with 122 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
conf/main_ipv4.conf.sample
View File

@ -714,21 +714,52 @@ remote_console_port=5900
# - Ubiquiti Unifi # - Ubiquiti Unifi
# ====== # ======
# - Notice: # - By default, the UniFi controller will operate on the following ports:
# - The Accesspoint IP is not needed (i think so), because the
# - AP uses port 8080 for cummunication with the controller, and
# - this port will be configured with the rules concerning the
# - controllers.
# - # -
# - again: setting unifi_ap_local_ips is not needed # - unifi_http_port=8080 (port for UAP to inform controller)
#unifi_ap_local_ips="192.168.64.50" # - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
# - unifi_portal_http_port=8880 (port for HTTP portal redirect)
# - unifi_portal_https_port=8843 (port for HTTPS portal redirect)
# - unifi_http_port=6789 (port used for throughput measurement)
# - unifi_db_port=27117 (local-bound port for DB server)
# -
# -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the
# - same controller machine.
# -
# - unifi_stun_port=3478 # UDP port used for STUN
# -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol
# -
# - unifi_aircontroll_port=10001
# -
# -
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
# - There is no need to open firewall for these ports on controller. However, on
# - controller, avoid to use these ports:
# -
# - port 8881 for redirector port for wireless clients
# - port 8882 for redirector port for wired clients
# -
# -
# - For AP-EDU Broadcasts:
# -
# - UDP ports 5656-5699
# -
unify_tcp_ports="8080,8443,8880,8843,6789,27117"
unify_udp_ports="3478"
unify_broadcast_udp_ports="10001,5656:5699"
unifi_controller_gateway_ips="" # - Unifi Controller at gateway?
# -
local_unifi_controller_service=false
# - UniFi Controllers on local network (other than this machine)
# -
unify_controller_local_net_ips="" unify_controller_local_net_ips=""
unify_controller_ports="8080,8443"
provide_hotspot=true
hotspot_ports="8880,8843"
# ====== # ======

55
conf/main_ipv6.conf.sample
View File

@ -697,21 +697,52 @@ remote_console_port=5900
# - Ubiquiti Unifi # - Ubiquiti Unifi
# ====== # ======
# - Notice: # - By default, the UniFi controller will operate on the following ports:
# - The Accesspoint IP is not needed (i think so), because the
# - AP uses port 8080 for cummunication with the controller, and
# - this port will be configured with the rules concerning the
# - controllers.
# - # -
# - again: setting unifi_ap_local_ips is not needed # - unifi_http_port=8080 (port for UAP to inform controller)
#unifi_ap_local_ips="2001:6f8:107e:64::50" # - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
# - unifi_portal_http_port=8880 (port for HTTP portal redirect)
# - unifi_portal_https_port=8843 (port for HTTPS portal redirect)
# - unifi_http_port=6789 (port used for throughput measurement)
# - unifi_db_port=27117 (local-bound port for DB server)
# -
# -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the
# - same controller machine.
# -
# - unifi_stun_port=3478 # UDP port used for STUN
# -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol
# -
# - unifi_aircontroll_port=10001
# -
# -
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
# - There is no need to open firewall for these ports on controller. However, on
# - controller, avoid to use these ports:
# -
# - port 8881 for redirector port for wireless clients
# - port 8882 for redirector port for wired clients
# -
# -
# - For AP-EDU Broadcasts:
# -
# - UDP ports 5656-5699
# -
unify_tcp_ports="8080,8443,8880,8843,6789,27117"
unify_udp_ports="3478"
unify_broadcast_udp_ports="10001,5656:5699"
unifi_controller_gateway_ips="" # - Unifi Controller at gateway?
# -
local_unifi_controller_service=false
# - UniFi Controllers on local network (other than this machine)
# -
unify_controller_local_net_ips="" unify_controller_local_net_ips=""
unify_controller_ports="8080,8443"
provide_hotspot=true
hotspot_ports="8880,8843"
# ====== # ======

74
ip6t-firewall-gateway
View File

@ -798,7 +798,8 @@ fi
echononl "\tAllow these local networks any access to the internet" echononl "\tAllow these local networks any access to the internet"
if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_local_net_to_inet ; then
for _net in ${any_access_to_inet_network_arr[@]}; do for _net in ${any_access_to_inet_network_arr[@]}; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
@ -817,12 +818,9 @@ fi
# --- # ---
echononl "\tAllow local services from given local networks" echononl "\tAllow local services from given local networks"
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_local_net_to_inet ; then
for _val in "${allow_local_net_to_local_service_arr[@]}" ; do for _val in "${allow_local_net_to_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
@ -853,11 +851,9 @@ fi
echononl "\tAllow all traffic from local network to local ip-address" echononl "\tAllow all traffic from local network to local ip-address"
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
for _val in ${allow_local_net_to_local_ip_arr[@]} ; do for _val in ${allow_local_net_to_local_ip_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
@ -885,11 +881,9 @@ fi
echononl "\tAllow all traffic from local ip-address to local network" echononl "\tAllow all traffic from local ip-address to local network"
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
for _val in ${allow_local_ip_to_local_net_arr[@]} ; do for _val in ${allow_local_ip_to_local_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
@ -917,11 +911,9 @@ fi
echononl "\tAllow all traffic from local network to (another) local network" echononl "\tAllow all traffic from local network to (another) local network"
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
for _val in ${allow_local_net_to_local_net_arr[@]} ; do for _val in ${allow_local_net_to_local_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
@ -949,11 +941,9 @@ fi
echononl "\tAllow local ip address from given local interface" echononl "\tAllow local ip address from given local interface"
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then && $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
for _val in ${allow_local_if_to_local_ip_arr[@]} ; do for _val in ${allow_local_if_to_local_ip_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
@ -980,10 +970,6 @@ fi
# --- # ---
echononl "\tSeparate local networks.." echononl "\tSeparate local networks.."
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _net in ${separate_local_network_arr[@]}; do for _net in ${separate_local_network_arr[@]}; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
@ -1002,10 +988,6 @@ fi
# --- # ---
echononl "\tSeparate local interfaces.." echononl "\tSeparate local interfaces.."
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _dev_1 in ${separate_local_if_arr[@]}; do for _dev_1 in ${separate_local_if_arr[@]}; do
for _dev_2 in ${local_if_arr[@]} ; do for _dev_2 in ${local_if_arr[@]} ; do
@ -2724,27 +2706,23 @@ fi
# --- # ---
echononl "\t\tUbiquiti Unifi Accesspoints" echononl "\t\tUbiquiti Unifi Accesspoints"
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then if $local_unifi_controller_service ; then
for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do $ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then $ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
fi fi
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
# - Note: # - Note:
@ -2752,12 +2730,8 @@ if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_
# - special rule. # - special rule.
# - # -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
if $provide_hotspot ; then
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
fi
fi fi
done done

32
ipt-firewall-gateway
View File

@ -3162,27 +3162,23 @@ fi
# --- # ---
echononl "\t\tUbiquiti Unifi Accesspoints" echononl "\t\tUbiquiti Unifi Accesspoints"
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then if $local_unifi_controller_service ; then
for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do $ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
for _dev in ${local_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then $ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
fi fi
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
# - Note: # - Note:
@ -3190,12 +3186,8 @@ if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_
# - special rule. # - special rule.
# - # -
if $kernel_activate_forwarding && $local_alias_interfaces ; then if $kernel_activate_forwarding && $local_alias_interfaces ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
if $provide_hotspot ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
fi
fi fi
done done