Prevent UniFy controller from WAN access.

ip6t-firewall-gateway

@@ -2702,21 +2702,34 @@ fi
 
 
 # ---
-# - Ubiquiti Unifi Accesspoints
+# - Ubiquiti Unifi Controler (Accesspoints) Gateway
 # ---
 
-echononl "\t\tUbiquiti Unifi Accesspoints"
-if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
 if $local_unifi_controller_service ; then
+   for _dev in ${local_if_arr[@]} ; do
+      $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
 
-         $ip6t -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
-
-         $ip6t -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ip6t -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
 
+   done
+   echo_done
+else
+   echo_skipped
 fi
 
-      if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+
+# ---
+# - Ubiquiti Unifi Controler (Accesspoints) local Network
+# ---
+
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
+if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
+   && $kernel_forward_between_interfaces \
+   && ! $permit_between_local_networks ; then
+
    for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
       for _dev in ${local_if_arr[@]} ; do
          $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
@@ -2729,13 +2742,12 @@ if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]
       # - If (local) alias interfaces like eth1:0 in use, youe need a further
       # - special rule.
       # -
-            if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
+      if $local_alias_interfaces ; then
          $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
          $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
       fi
 
    done
-      fi
 
    echo_done
 else

ipt-firewall-gateway

@@ -3158,21 +3158,34 @@ fi
 
 
 # ---
-# - Ubiquiti Unifi Accesspoints
+# - Ubiquiti Unifi Controler (Accesspoints) Gateway
 # ---
 
-echononl "\t\tUbiquiti Unifi Accesspoints"
-if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) Gateway"
 if $local_unifi_controller_service ; then
+   for _dev in ${local_if_arr[@]} ; do
+      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
 
-         $ipt -A INPUT -p udp -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
-
-         $ipt -A INPUT -p tcp -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
-         $ipt -A INPUT -p udp -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
 
+   done
+   echo_done
+else
+   echo_skipped
 fi
 
-      if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
+
+# ---
+# - Ubiquiti Unifi Controler (Accesspoints) local Network
+# ---
+
+echononl "\t\tUbiquiti Unifi Controler (Accesspoints) local Network"
+if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
+   && $kernel_activate_forwarding \
+   && ! $permit_between_local_networks ; then
+
    for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
       for _dev in ${local_if_arr[@]} ; do
          $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl  -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
@@ -3185,13 +3198,12 @@ if $local_unifi_controller_service || [[ ${#unify_controller_local_net_ip_arr[@]
       # - If (local) alias interfaces like eth1:0 in use, youe need a further
       # - special rule.
       # -
-            if $kernel_activate_forwarding && $local_alias_interfaces ; then
+      if $local_alias_interfaces ; then
          $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
          $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
       fi
 
    done
-      fi
 
    echo_done
 else