Prevent UniFy controller from WAN access.

2017-04-22 02:48:26 +02:00 · 2017-04-22 02:48:26 +02:00 · 99c8301305
commit 99c8301305
parent 0c55b9afe0
2 changed files with 78 additions and 54 deletions
--- a/66
+++ b/66
@ -2702,40 +2702,52 @@ fi
 # ---
-# - Ubiquiti Unifi Accesspoints
+# - Ubiquiti Unifi Controler (Accesspoints) Gateway
 # ---
 echononl "\t\tUbiquiti Unifi Accesspoints"
 if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
      if $local_unifi_controller_service ; then
-         $ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
 if $local_unifi_controller_service ; then
   for _dev in ${local_if_arr[@]} ; do
      $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
 else
   echo_skipped
 fi
 # ---
 # - Ubiquiti Unifi Controler (Accesspoints) local Network
 # ---
 echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
 if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
   && $kernel_forward_between_interfaces \
   && ! $permit_between_local_networks ; then
   for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
         $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl  -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
         $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
      done
      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
         $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
      fi
-      if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+   done
         for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
            for _dev in ${local_if_arr[@]} ; do
               $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
               $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl  -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
               $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
            done
            # - Note:
            # - If (local) alias interfaces like eth1:0 in use, youe need a further
            # - special rule.
            # -
            if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
               $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
               $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
            fi
         done
      fi
   echo_done
 else
--- a/66
+++ b/66
@ -3158,40 +3158,52 @@ fi
 # ---
-# - Ubiquiti Unifi Accesspoints
+# - Ubiquiti Unifi Controler (Accesspoints) Gateway
 # ---
 echononl "\t\tUbiquiti Unifi Accesspoints"
 if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
      if $local_unifi_controller_service ; then
-         $ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
 if $local_unifi_controller_service ; then
   for _dev in ${local_if_arr[@]} ; do
      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
   done
   echo_done
 else
   echo_skipped
 fi
 # ---
 # - Ubiquiti Unifi Controler (Accesspoints) local Network
 # ---
 echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
 if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
   && $kernel_activate_forwarding \
   && ! $permit_between_local_networks ; then
   for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
      for _dev in ${local_if_arr[@]} ; do
         $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl  -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
         $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
      done
      # - Note:
      # - If (local) alias interfaces like eth1:0 in use, youe need a further
      # - special rule.
      # -
      if $local_alias_interfaces ; then
         $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
         $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
      fi
-      if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+   done
         for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
            for _dev in ${local_if_arr[@]} ; do
               $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
               $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl  -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
               $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
            done
            # - Note:
            # - If (local) alias interfaces like eth1:0 in use, youe need a further
            # - special rule.
            # -
            if $kernel_activate_forwarding && $local_alias_interfaces ; then
               $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
               $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
            fi
         done
      fi
   echo_done
 else