firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change default ports for Unifi Controller and define them in file 'default_ports.conf'.

Browse Source
This commit is contained in:
Christoph 2021-03-23 11:14:18 +01:00
parent b005fff18f
commit d6cf429736
5 changed files with 229 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
conf/default_ports.conf
View File

@ -60,6 +60,81 @@ standard_ipsec_nat_t=4500
standard_http_ports="80,443" standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993" standard_mailuser_ports="587,465,110,995,143,993"
# - UniFi - Ports Used
# -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the
# - same controller machine.
# -
# - unifi_stun_port=3478 # UDP port used for STUN
# - # Open Port from controller to Unifi APs
# -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol
# -
# - unifi_aircontroll_port=10001
# -
# -
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
# - There is no need to open firewall for these ports on controller. However, on
# - controller, avoid to use these ports:
# -
# - port 8881 for redirector port for wireless clients
# - port 8882 for redirector port for wired clients
# -
# -
# - For AP-EDU Broadcasts:
# -
# - UDP ports 5656-5699
# -
# -
# - Local IN Ports
# - ==============
# -
# - TCP
# - ===
# - TCP 8080 used for device and controller communication.
# - TCP 8443 used for controller GUI/API as seen in a web browser
# - TCP 8880 used for HTTP portal redirection.
# - TCP 8843 used for HTTPS portal redirection.
# - TCP 6789 used for UniFi mobile speed test.
# - TCP 27117 used for local-bound database communication.
# -
# - UDP
# - ====
# - UDP 3478 used for STUN.
# - UDP 5514 used for remote syslog capture.
# - UDP 5656-5699 used by AP-EDU broadcasting.
# - UDP 10001 used for device discovery
# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings.
# -
# -
# - OUT Ports Required for UniFi Remote Access
# - ==========================================
# -
# - TCP
# - ===
# - TCP 8883 used for Remote Access service.
# - TCP 443 used for Remote Access service.
# -
# - UDP
# - ===
# - UDP 3478 used for STUN.
# - UDP 443 used for Remote Access service.
# -
standard_unifi_tcp_ctrl_in_ports="8080,8443,8880,8843,6789,27117"
standard_unifi_udp_ctrl_in_ports="3478,5514,5656:5699,10001,1900"
standard_unifi_tcp_ctrl_out_ports="443,8883"
standard_unifi_udp_ctrl_out_ports="443,3478"
# - BigBlueButton Video Conference Service # - BigBlueButton Video Conference Service
# - # -
standard_bigbluebutton_tcp_ports="$standard_http_ports" standard_bigbluebutton_tcp_ports="$standard_http_ports"

55
conf/main_ipv4.conf.sample
View File

@ -1103,15 +1103,11 @@ remote_console_port=5900
# - Ubiquiti Unifi # - Ubiquiti Unifi
# ====== # ======
# - By default, the UniFi controller will operate on the following ports: # - UniFi - Ports Used
# - # -
# - unifi_http_port=8080 (port for UAP to inform controller) # - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
# - unifi_portal_http_port=8880 (port for HTTP portal redirect - Hotspot)
# - unifi_portal_https_port=8843 (port for HTTPS portal redirect - Hotspot)
# - unifi_http_port=6789 (port used for throughput measurement)
# - unifi_db_port=27117 (local-bound port for DB server)
# - # -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# - # -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services, # - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the # - for scenarios where two or more separate UniFi instances are desired on the
@ -1120,6 +1116,7 @@ remote_console_port=5900
# - unifi_stun_port=3478 # UDP port used for STUN # - unifi_stun_port=3478 # UDP port used for STUN
# - # Open Port from controller to Unifi APs # - # Open Port from controller to Unifi APs
# - # -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl # - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol # - management discovery protocol
# - # -
@ -1138,9 +1135,47 @@ remote_console_port=5900
# - # -
# - UDP ports 5656-5699 # - UDP ports 5656-5699
# - # -
unify_tcp_ports="8080,8443,8880,8843,6789,27117" # -
unify_udp_ports="3478" # - Local IN Ports
unify_broadcast_udp_ports="10001,5656:5699" # - ==============
# -
# - TCP
# - ===
# - TCP 8080 used for device and controller communication.
# - TCP 8443 used for controller GUI/API as seen in a web browser
# - TCP 8880 used for HTTP portal redirection.
# - TCP 8843 used for HTTPS portal redirection.
# - TCP 6789 used for UniFi mobile speed test.
# - TCP 27117 used for local-bound database communication.
# -
# - UDP
# - ====
# - UDP 3478 used for STUN.
# - UDP 5514 used for remote syslog capture.
# - UDP 5656-5699 used by AP-EDU broadcasting.
# - UDP 10001 used for device discovery
# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings.
# -
# -
# - OUT Ports Required for UniFi Remote Access
# - ==========================================
# -
# - TCP
# - ===
# - TCP 8883 used for Remote Access service.
# - TCP 443 used for Remote Access service.
# -
# - UDP
# - ===
# - UDP 3478 used for STUN.
# - UDP 443 used for Remote Access service.
# -
unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports"
unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports"
unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports"
unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports"
# - Unifi Controller at gateway? # - Unifi Controller at gateway?
# - # -

54
conf/main_ipv6.conf.sample
View File

@ -1080,15 +1080,11 @@ remote_console_port=5900
# - Ubiquiti Unifi # - Ubiquiti Unifi
# ====== # ======
# - By default, the UniFi controller will operate on the following ports: # - UniFi - Ports Used
# - # -
# - unifi_http_port=8080 (port for UAP to inform controller) # - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
# - unifi_portal_http_port=8880 (port for HTTP portal redirect)
# - unifi_portal_https_port=8843 (port for HTTPS portal redirect)
# - unifi_http_port=6789 (port used for throughput measurement)
# - unifi_db_port=27117 (local-bound port for DB server)
# - # -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# - # -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services, # - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the # - for scenarios where two or more separate UniFi instances are desired on the
@ -1116,9 +1112,47 @@ remote_console_port=5900
# - # -
# - UDP ports 5656-5699 # - UDP ports 5656-5699
# - # -
unify_tcp_ports="8080,8443,8880,8843,6789,27117" # -
unify_udp_ports="3478" # - Local IN Ports
unify_broadcast_udp_ports="10001,5656:5699" # - ==============
# -
# - TCP
# - ===
# - TCP 8080 used for device and controller communication.
# - TCP 8443 used for controller GUI/API as seen in a web browser
# - TCP 8880 used for HTTP portal redirection.
# - TCP 8843 used for HTTPS portal redirection.
# - TCP 6789 used for UniFi mobile speed test.
# - TCP 27117 used for local-bound database communication.
# -
# - UDP
# - ====
# - UDP 3478 used for STUN.
# - UDP 5514 used for remote syslog capture.
# - UDP 5656-5699 used by AP-EDU broadcasting.
# - UDP 10001 used for device discovery
# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings.
# -
# -
# - OUT Ports Required for UniFi Remote Access
# - ==========================================
# -
# - TCP
# - ===
# - TCP 8883 used for Remote Access service.
# - TCP 443 used for Remote Access service.
# -
# - UDP
# - ===
# - UDP 3478 used for STUN.
# - UDP 443 used for Remote Access service.
# -
unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports"
unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports"
unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports"
unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports"
# - Unifi Controller at gateway? # - Unifi Controller at gateway?
# - # -

42
ip6t-firewall-gateway
View File

@ -3749,13 +3749,12 @@ fi
# --- # ---
echononl "\t\tUbiquiti Unifi Controller Gateway" echononl "\t\tUbiquiti Unifi Controller Gateway IN"
if $local_unifi_controller_service ; then if $local_unifi_controller_service ; then
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -3765,10 +3764,9 @@ if $local_unifi_controller_service ; then
# #
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then
for _ip in ${unifi_ap_extern_ip_arr[@]} ; do for _ip in ${unifi_ap_extern_ip_arr[@]} ; do
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@ -3778,7 +3776,7 @@ else
fi fi
echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
if $local_unifi_controller_service \ if $local_unifi_controller_service \
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
@ -3786,7 +3784,8 @@ if $local_unifi_controller_service \
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -3796,7 +3795,8 @@ if $local_unifi_controller_service \
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -3820,10 +3820,13 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
# - Note: # - Note:
@ -3831,8 +3834,17 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
# - special rule. # - special rule.
# - # -
if $local_alias_interfaces ; then if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
fi fi
done done

42
ipt-firewall-gateway
View File

@ -4454,13 +4454,12 @@ fi
# --- # ---
echononl "\t\tUbiquiti Unifi Controller Gateway" echononl "\t\tUbiquiti Unifi Controller Gateway IN"
if $local_unifi_controller_service ; then if $local_unifi_controller_service ; then
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -4470,10 +4469,9 @@ if $local_unifi_controller_service ; then
# #
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then
for _ip in ${unifi_ap_extern_ip_arr[@]} ; do for _ip in ${unifi_ap_extern_ip_arr[@]} ; do
$ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -s $_ip -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@ -4483,7 +4481,7 @@ else
fi fi
echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
if $local_unifi_controller_service \ if $local_unifi_controller_service \
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
@ -4491,7 +4489,8 @@ if $local_unifi_controller_service \
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -4501,7 +4500,8 @@ if $local_unifi_controller_service \
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
@ -4525,10 +4525,13 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done done
# - Note: # - Note:
@ -4536,8 +4539,17 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
# - special rule. # - special rule.
# - # -
if $local_alias_interfaces ; then if $local_alias_interfaces ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
fi fi
done done