From 99c83013052c28966548d386d0c01ae94ac9e9ae Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 22 Apr 2017 02:48:26 +0200 Subject: [PATCH] Prevent UniFy controller from WAN access. --- ip6t-firewall-gateway | 66 +++++++++++++++++++++++++------------------ ipt-firewall-gateway | 66 +++++++++++++++++++++++++------------------ 2 files changed, 78 insertions(+), 54 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 5886d98..7e97aa6 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2702,40 +2702,52 @@ fi # --- -# - Ubiquiti Unifi Accesspoints +# - Ubiquiti Unifi Controler (Accesspoints) Gateway # --- -echononl "\t\tUbiquiti Unifi Accesspoints" -if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - if $local_unifi_controller_service ; then - $ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT +echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway" +if $local_unifi_controller_service ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Controler (Accesspoints) local Network +# --- + +echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network" +if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then + + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT fi - if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT - done - - # - Note: - # - If (local) alias interfaces like eth1:0 in use, youe need a further - # - special rule. - # - - if $kernel_forward_between_interfaces && $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - fi - - done - fi + done echo_done else diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 3f9d782..fe6d679 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3158,40 +3158,52 @@ fi # --- -# - Ubiquiti Unifi Accesspoints +# - Ubiquiti Unifi Controler (Accesspoints) Gateway # --- -echononl "\t\tUbiquiti Unifi Accesspoints" -if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - if $local_unifi_controller_service ; then - $ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT +echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway" +if $local_unifi_controller_service ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Controler (Accesspoints) local Network +# --- + +echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network" +if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT fi - if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT - done - - # - Note: - # - If (local) alias interfaces like eth1:0 in use, youe need a further - # - special rule. - # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - fi - - done - fi + done echo_done else