From 14b72b2ad2f1754f9fcc65fe649de8f54dd47dc1 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 1 Aug 2019 17:22:48 +0200 Subject: [PATCH] Add support for unifi devices outside internal network. --- conf/main_ipv4.conf.sample | 6 ++++++ conf/main_ipv6.conf.sample | 6 ++++++ conf/post_decalrations.conf | 4 ++++ ip6t-firewall-gateway | 38 +++++++++++++++++++++++++++++++------ ipt-firewall-gateway | 35 +++++++++++++++++++++++++++++----- 5 files changed, 78 insertions(+), 11 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 84a975a..4d7c1a2 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1000,6 +1000,12 @@ local_unifi_controller_service=false # - unifi_ap_local_ips="" +# Note: +# in contrast to devices at local networks, devices hosted at extern network +# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' +# +unifi_ap_extern_ips="" + # - UniFi Controllers on local network (other than this machine) # - diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 4c425e1..3274dfe 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -970,6 +970,12 @@ local_unifi_controller_service=false # - unifi_ap_local_ips="" +# Note: +# in contrast to devices at local networks, devices hosted at extern network +# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' +# +unifi_ap_extern_ips="" + # - UniFi Controllers on local network (other than this machine) # - diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 0f273f0..73ba90a 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -374,6 +374,10 @@ declare -a unifi_ap_local_ip_arr for _ip in $unifi_ap_local_ips ; do unifi_ap_local_ip_arr+=("$_ip") done +declare -a unifi_ap_extern_ip_arr +for _ip in $unifi_ap_extern_ips ; do + unifi_ap_extern_ip_arr+=("$_ip") +done declare -a unifi_controller_gateway_ip_arr for _ip in $unifi_controller_gateway_ips ; do unifi_controller_gateway_ip_arr+=("$_ip") diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 6f3a27d..e055e08 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -3398,7 +3398,7 @@ fi # --- -# - Ubiquiti Unifi Controller (Accesspoints) Gateway +# - Ubiquiti Unifi Controller Gateway # --- @@ -3411,13 +3411,30 @@ if $local_unifi_controller_service ; then $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT done + + # Note: + # in contrast to devices at local networks, devices hosted at extern network + # are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' + # + if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then + for _ip in ${unifi_ap_extern_ip_arr[@]} ; do + $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + fi echo_done else echo_skipped fi + echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" -if $local_unifi_controller_service ; then +if $local_unifi_controller_service \ + && [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] \ + && [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then @@ -3427,11 +3444,20 @@ if $local_unifi_controller_service ; then done - echo_done - else - echo_skipped - warn "Local Unifi Controller is defined, but no Unifi APs!" + fi + + if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do + + $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + fi + + echo_done + else echo_skipped fi diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 9499398..b94a19e 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -4119,6 +4119,20 @@ if $local_unifi_controller_service ; then $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT done + + # Note: + # in contrast to devices at local networks, devices hosted at extern network + # are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' + # + if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then + for _ip in ${unifi_ap_extern_ip_arr[@]} ; do + $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + fi echo_done else echo_skipped @@ -4126,7 +4140,9 @@ fi echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" -if $local_unifi_controller_service ; then +if $local_unifi_controller_service \ + && [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] \ + && [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then @@ -4136,11 +4152,20 @@ if $local_unifi_controller_service ; then done - echo_done - else - echo_skipped - warn "Local Unifi Controller is defined, but no Unifi APs!" fi + + if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do + + $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + + fi + + echo_done + else echo_skipped fi