From 63a8722a3ecd00fac4fe91dd557dbfb29f9569a0 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 21 Nov 2022 21:01:01 +0100 Subject: [PATCH] Some changes on unifi rules. --- ip6t-firewall-gateway | 14 +++++++++----- ipt-firewall-gateway | 13 ++++++++----- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d49b394..d0218cc 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -4424,16 +4424,20 @@ if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then - for _ip in ${unifi_ap_local_ip_arr[@]} ; do + # Not only unifi devices but also clients need some ports to connect to + # unifi controller. So we open the ports on local netwprk devices. + # + for _local_dev in ${local_if_arr[@]} ; do - $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done + # Note: # in contrast to devices at local networks, devices hosted at extern network # are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index fee592c..ed1f546 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -5228,13 +5228,16 @@ echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then - for _ip in ${unifi_ap_local_ip_arr[@]} ; do + # Not only unifi devices but also clients need some ports to connect to + # unifi controller. So we open the ports on local netwprk devices. + # + for _local_dev in ${local_if_arr[@]} ; do - $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done