firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent UniFy controller from WAN access.

Browse Source
This commit is contained in:
Christoph 2017-04-22 02:48:26 +02:00
parent 0c55b9afe0
commit 99c8301305
2 changed files with 78 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
ip6t-firewall-gateway
View File

@ -2702,21 +2702,34 @@ fi
# --- # ---
# - Ubiquiti Unifi Accesspoints # - Ubiquiti Unifi Controler (Accesspoints) Gateway
# --- # ---
echononl "\t\tUbiquiti Unifi Accesspoints"
if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
if $local_unifi_controller_service ; then
$ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
if $local_unifi_controller_service ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi done
echo_done
else
echo_skipped
fi
# ---
# - Ubiquiti Unifi Controler (Accesspoints) local Network
# ---
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
@ -2729,13 +2742,12 @@ if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]
# - If (local) alias interfaces like eth1:0 in use, youe need a further # - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule. # - special rule.
# - # -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
fi fi
done done
fi
echo_done echo_done
else else

34
ipt-firewall-gateway
View File

@ -3158,21 +3158,34 @@ fi
# --- # ---
# - Ubiquiti Unifi Accesspoints # - Ubiquiti Unifi Controler (Accesspoints) Gateway
# --- # ---
echononl "\t\tUbiquiti Unifi Accesspoints"
if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
if $local_unifi_controller_service ; then
$ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
if $local_unifi_controller_service ; then
for _dev in ${local_if_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi done
echo_done
else
echo_skipped
fi
# ---
# - Ubiquiti Unifi Controler (Accesspoints) local Network
# ---
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding \
&& ! $permit_between_local_networks ; then
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
@ -3185,13 +3198,12 @@ if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]
# - If (local) alias interfaces like eth1:0 in use, youe need a further # - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule. # - special rule.
# - # -
if $kernel_activate_forwarding && $local_alias_interfaces ; then if $local_alias_interfaces ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
fi fi
done done
fi
echo_done echo_done
else else