Prevent UniFy controller from WAN access.
This commit is contained in:
@@ -2702,40 +2702,52 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Ubiquiti Unifi Accesspoints
|
# - Ubiquiti Unifi Controler (Accesspoints) Gateway
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Accesspoints"
|
|
||||||
if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
|
|
||||||
if $local_unifi_controller_service ; then
|
|
||||||
|
|
||||||
$ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
|
||||||
|
if $local_unifi_controller_service ; then
|
||||||
|
for _dev in ${local_if_arr[@]} ; do
|
||||||
|
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
$ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# - Ubiquiti Unifi Controler (Accesspoints) local Network
|
||||||
|
# ---
|
||||||
|
|
||||||
|
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
|
||||||
|
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||||
|
&& $kernel_forward_between_interfaces \
|
||||||
|
&& ! $permit_between_local_networks ; then
|
||||||
|
|
||||||
|
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
||||||
|
for _dev in ${local_if_arr[@]} ; do
|
||||||
|
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
# - Note:
|
||||||
|
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||||
|
# - special rule.
|
||||||
|
# -
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
|
done
|
||||||
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
|
||||||
for _dev in ${local_if_arr[@]} ; do
|
|
||||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
# - Note:
|
|
||||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
|
||||||
# - special rule.
|
|
||||||
# -
|
|
||||||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
|
||||||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
fi
|
|
||||||
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -3158,40 +3158,52 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Ubiquiti Unifi Accesspoints
|
# - Ubiquiti Unifi Controler (Accesspoints) Gateway
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Accesspoints"
|
|
||||||
if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
|
|
||||||
if $local_unifi_controller_service ; then
|
|
||||||
|
|
||||||
$ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
|
||||||
|
if $local_unifi_controller_service ; then
|
||||||
|
for _dev in ${local_if_arr[@]} ; do
|
||||||
|
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
$ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# - Ubiquiti Unifi Controler (Accesspoints) local Network
|
||||||
|
# ---
|
||||||
|
|
||||||
|
echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
|
||||||
|
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||||
|
&& $kernel_activate_forwarding \
|
||||||
|
&& ! $permit_between_local_networks ; then
|
||||||
|
|
||||||
|
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
||||||
|
for _dev in ${local_if_arr[@]} ; do
|
||||||
|
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
# - Note:
|
||||||
|
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||||
|
# - special rule.
|
||||||
|
# -
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
|
done
|
||||||
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
|
||||||
for _dev in ${local_if_arr[@]} ; do
|
|
||||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
# - Note:
|
|
||||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
|
||||||
# - special rule.
|
|
||||||
# -
|
|
||||||
if $kernel_activate_forwarding && $local_alias_interfaces ; then
|
|
||||||
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
fi
|
|
||||||
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
else
|
else
|
||||||
|
|||||||
Reference in New Issue
Block a user