From d6cf4297361f44f42eada302ab9441087a79babd Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 23 Mar 2021 11:14:18 +0100 Subject: [PATCH] Change default ports for Unifi Controller and define them in file 'default_ports.conf'. --- conf/default_ports.conf | 75 ++++++++++++++++++++++++++++++++++++++ conf/main_ipv4.conf.sample | 65 +++++++++++++++++++++++++-------- conf/main_ipv6.conf.sample | 64 ++++++++++++++++++++++++-------- ip6t-firewall-gateway | 44 ++++++++++++++-------- ipt-firewall-gateway | 42 +++++++++++++-------- 5 files changed, 229 insertions(+), 61 deletions(-) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index faa166e..d60ff1e 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -60,6 +60,81 @@ standard_ipsec_nat_t=4500 standard_http_ports="80,443" standard_mailuser_ports="587,465,110,995,143,993" + +# - UniFi - Ports Used +# - +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used +# - +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used +# - +# - In version 4.5.2 and later, users can also define the port assigned to STUN services, +# - for scenarios where two or more separate UniFi instances are desired on the +# - same controller machine. +# - +# - unifi_stun_port=3478 # UDP port used for STUN +# - # Open Port from controller to Unifi APs +# - +# - +# - Ubiquity Networks uses port 10001/UDP for its AirControl +# - management discovery protocol +# - +# - unifi_aircontroll_port=10001 +# - +# - +# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. +# - There is no need to open firewall for these ports on controller. However, on +# - controller, avoid to use these ports: +# - +# - port 8881 for redirector port for wireless clients +# - port 8882 for redirector port for wired clients +# - +# - +# - For AP-EDU Broadcasts: +# - +# - UDP ports 5656-5699 +# - +# - +# - Local IN Ports +# - ============== +# - +# - TCP +# - === +# - TCP 8080 used for device and controller communication. +# - TCP 8443 used for controller GUI/API as seen in a web browser +# - TCP 8880 used for HTTP portal redirection. +# - TCP 8843 used for HTTPS portal redirection. +# - TCP 6789 used for UniFi mobile speed test. +# - TCP 27117 used for local-bound database communication. +# - +# - UDP +# - ==== +# - UDP 3478 used for STUN. +# - UDP 5514 used for remote syslog capture. +# - UDP 5656-5699 used by AP-EDU broadcasting. +# - UDP 10001 used for device discovery +# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings. +# - +# - +# - OUT Ports Required for UniFi Remote Access +# - ========================================== +# - +# - TCP +# - === +# - TCP 8883 used for Remote Access service. +# - TCP 443 used for Remote Access service. +# - +# - UDP +# - === +# - UDP 3478 used for STUN. +# - UDP 443 used for Remote Access service. +# - +standard_unifi_tcp_ctrl_in_ports="8080,8443,8880,8843,6789,27117" +standard_unifi_udp_ctrl_in_ports="3478,5514,5656:5699,10001,1900" + +standard_unifi_tcp_ctrl_out_ports="443,8883" +standard_unifi_udp_ctrl_out_ports="443,3478" + + # - BigBlueButton Video Conference Service # - standard_bigbluebutton_tcp_ports="$standard_http_ports" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 458385a..dadd8a1 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1103,31 +1103,28 @@ remote_console_port=5900 # - Ubiquiti Unifi # ====== -# - By default, the UniFi controller will operate on the following ports: +# - UniFi - Ports Used # - -# - unifi_http_port=8080 (port for UAP to inform controller) -# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser) -# - unifi_portal_http_port=8880 (port for HTTP portal redirect - Hotspot) -# - unifi_portal_https_port=8843 (port for HTTPS portal redirect - Hotspot) -# - unifi_http_port=6789 (port used for throughput measurement) -# - unifi_db_port=27117 (local-bound port for DB server) +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - -# - In version 4.5.2 and later, users can also define the port assigned to STUN services, -# - for scenarios where two or more separate UniFi instances are desired on the +# - In version 4.5.2 and later, users can also define the port assigned to STUN services, +# - for scenarios where two or more separate UniFi instances are desired on the # - same controller machine. # - # - unifi_stun_port=3478 # UDP port used for STUN # - # Open Port from controller to Unifi APs # - -# - Ubiquity Networks uses port 10001/UDP for its AirControl +# - +# - Ubiquity Networks uses port 10001/UDP for its AirControl # - management discovery protocol # - # - unifi_aircontroll_port=10001 # - # - -# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. -# - There is no need to open firewall for these ports on controller. However, on +# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. +# - There is no need to open firewall for these ports on controller. However, on # - controller, avoid to use these ports: # - # - port 8881 for redirector port for wireless clients @@ -1138,9 +1135,47 @@ remote_console_port=5900 # - # - UDP ports 5656-5699 # - -unify_tcp_ports="8080,8443,8880,8843,6789,27117" -unify_udp_ports="3478" -unify_broadcast_udp_ports="10001,5656:5699" +# - +# - Local IN Ports +# - ============== +# - +# - TCP +# - === +# - TCP 8080 used for device and controller communication. +# - TCP 8443 used for controller GUI/API as seen in a web browser +# - TCP 8880 used for HTTP portal redirection. +# - TCP 8843 used for HTTPS portal redirection. +# - TCP 6789 used for UniFi mobile speed test. +# - TCP 27117 used for local-bound database communication. +# - +# - UDP +# - ==== +# - UDP 3478 used for STUN. +# - UDP 5514 used for remote syslog capture. +# - UDP 5656-5699 used by AP-EDU broadcasting. +# - UDP 10001 used for device discovery +# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings. +# - +# - +# - OUT Ports Required for UniFi Remote Access +# - ========================================== +# - +# - TCP +# - === +# - TCP 8883 used for Remote Access service. +# - TCP 443 used for Remote Access service. +# - +# - UDP +# - === +# - UDP 3478 used for STUN. +# - UDP 443 used for Remote Access service. +# - +unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports" +unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports" + +unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports" +unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports" + # - Unifi Controller at gateway? # - diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index a064bdf..1e6ef84 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -1080,32 +1080,28 @@ remote_console_port=5900 # - Ubiquiti Unifi # ====== -# - By default, the UniFi controller will operate on the following ports: +# - UniFi - Ports Used # - -# - unifi_http_port=8080 (port for UAP to inform controller) -# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser) -# - unifi_portal_http_port=8880 (port for HTTP portal redirect) -# - unifi_portal_https_port=8843 (port for HTTPS portal redirect) -# - unifi_http_port=6789 (port used for throughput measurement) -# - unifi_db_port=27117 (local-bound port for DB server) +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - +# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - -# - In version 4.5.2 and later, users can also define the port assigned to STUN services, -# - for scenarios where two or more separate UniFi instances are desired on the +# - In version 4.5.2 and later, users can also define the port assigned to STUN services, +# - for scenarios where two or more separate UniFi instances are desired on the # - same controller machine. # - # - unifi_stun_port=3478 # UDP port used for STUN # - # Open Port from controller to Unifi APs # - # - -# - Ubiquity Networks uses port 10001/UDP for its AirControl +# - Ubiquity Networks uses port 10001/UDP for its AirControl # - management discovery protocol # - # - unifi_aircontroll_port=10001 # - # - -# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. -# - There is no need to open firewall for these ports on controller. However, on +# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. +# - There is no need to open firewall for these ports on controller. However, on # - controller, avoid to use these ports: # - # - port 8881 for redirector port for wireless clients @@ -1116,9 +1112,47 @@ remote_console_port=5900 # - # - UDP ports 5656-5699 # - -unify_tcp_ports="8080,8443,8880,8843,6789,27117" -unify_udp_ports="3478" -unify_broadcast_udp_ports="10001,5656:5699" +# - +# - Local IN Ports +# - ============== +# - +# - TCP +# - === +# - TCP 8080 used for device and controller communication. +# - TCP 8443 used for controller GUI/API as seen in a web browser +# - TCP 8880 used for HTTP portal redirection. +# - TCP 8843 used for HTTPS portal redirection. +# - TCP 6789 used for UniFi mobile speed test. +# - TCP 27117 used for local-bound database communication. +# - +# - UDP +# - ==== +# - UDP 3478 used for STUN. +# - UDP 5514 used for remote syslog capture. +# - UDP 5656-5699 used by AP-EDU broadcasting. +# - UDP 10001 used for device discovery +# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings. +# - +# - +# - OUT Ports Required for UniFi Remote Access +# - ========================================== +# - +# - TCP +# - === +# - TCP 8883 used for Remote Access service. +# - TCP 443 used for Remote Access service. +# - +# - UDP +# - === +# - UDP 3478 used for STUN. +# - UDP 443 used for Remote Access service. +# - +unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports" +unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports" + +unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports" +unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports" + # - Unifi Controller at gateway? # - diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 4285692..c3e0463 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -3749,13 +3749,12 @@ fi # --- -echononl "\t\tUbiquiti Unifi Controller Gateway" +echononl "\t\tUbiquiti Unifi Controller Gateway IN" if $local_unifi_controller_service ; then for _dev in ${local_if_arr[@]} ; do - $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -3765,10 +3764,9 @@ if $local_unifi_controller_service ; then # if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then for _ip in ${unifi_ap_extern_ip_arr[@]} ; do - $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -3778,7 +3776,7 @@ else fi -echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" +echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then @@ -3786,17 +3784,19 @@ if $local_unifi_controller_service \ for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done - fi + fi if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -3820,10 +3820,13 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + done # - Note: @@ -3831,8 +3834,17 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ # - special rule. # - if $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + + $ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + + $ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 0212933..f2afa5c 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -4454,13 +4454,12 @@ fi # --- -echononl "\t\tUbiquiti Unifi Controller Gateway" +echononl "\t\tUbiquiti Unifi Controller Gateway IN" if $local_unifi_controller_service ; then for _dev in ${local_if_arr[@]} ; do - $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -4470,10 +4469,9 @@ if $local_unifi_controller_service ; then # if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then for _ip in ${unifi_ap_extern_ip_arr[@]} ; do - $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -4483,7 +4481,7 @@ else fi -echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" +echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then @@ -4491,7 +4489,8 @@ if $local_unifi_controller_service \ for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -4501,7 +4500,8 @@ if $local_unifi_controller_service \ for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -4525,10 +4525,13 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + done # - Note: @@ -4536,8 +4539,17 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ # - special rule. # - if $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi done