Some changes on unifi rules.
This commit is contained in:
parent
b0421b06c9
commit
63a8722a3e
@ -4424,16 +4424,20 @@ if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
|
||||
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
# Not only unifi devices but also clients need some ports to connect to
|
||||
# unifi controller. So we open the ports on local netwprk devices.
|
||||
#
|
||||
for _local_dev in ${local_if_arr[@]} ; do
|
||||
|
||||
$ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
|
||||
# Note:
|
||||
# in contrast to devices at local networks, devices hosted at extern network
|
||||
# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr'
|
||||
|
||||
@ -5228,13 +5228,16 @@ echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess"
|
||||
if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
# Not only unifi devices but also clients need some ports to connect to
|
||||
# unifi controller. So we open the ports on local netwprk devices.
|
||||
#
|
||||
for _local_dev in ${local_if_arr[@]} ; do
|
||||
|
||||
$ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ipt -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user