Question

ufw port forwarding

Hi there,

I’ve been following https://crosstalksolutions.com/definitive-guide-to-hosted-unifi/ in order to setup the unifi controller on DO. It works perfectly, but my ISP supplies me with a dynamic IP address. We have a lot of work going on at the moment which means throughout the day, the power goes off for a while and we power up, I get a new IP. Is there anyway to handle this with firewall rules to I don’t have to keep manually logging in and allowing my new ip through? At the moment I’m having to load the console from the DO account page and login as root to unblock myself.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi

ufw allows you to define IP ranges using CIDR, though the downside, in this case, would be that you’d be casting a wide net and anyone on the range would be able to access the login page for Unifi.

Example

ufw allow from 10.1.1.0/24 to any port 8443

This will allow any IP from 10.1.1.0 to 10.1.1.255. You can cast it wider by moving up to a /16 (replacing the /24), allowing access from 10.1.0.0 to 10.1.255.255

ufw allow from 10.1.0.0/16 to any port 8443

This will reduce the chances of you having to change the IP, though it won’t eliminate it–especially if your IP changes the entire range and you’re not aware of all ranges in use.

The better solution would be to use a shell script locally which pushes the change to your remote Droplet with the UniFi Controller installed. You’d need CRON and Bash locally to set this up. This could be done on a small raspberry pi or even a VM if you can run on locally.

Local Shell Script

This will be used to pull your current IP and pass it to the remote server so ufw allows the correct IP through.

ipupdate-local.sh

#!/usr/bin/env bash

ipAddress=$(curl -s icanhazip.com)

ssh root@1.1.1.1 "/opt/ipupdate-remote.sh ${ipAddress}"

You’ll want to update the IP above (1.1.1.1) to match your Droplet IP and then give the above script execution permissions using chmod +x ipupdate-local.sh. This script can then be executed via CRON every N minutes using:

*/5 * * * * /path/to/ipupdate-local.sh

Remote Shell Script

This will be used to reset ufw so that it uses the new IP passed through by ipupdate-local.sh. If no IP is provided, it will exit (so the firewall rules aren’t reset and you’re not locked out).

/opt/ipupdate-remote.sh

#!/usr/bin/env bash

#+----------------------------------------------------------------------------+
#+ Define IP Address
#+----------------------------------------------------------------------------+
ipAddress="${1}"

#+----------------------------------------------------------------------------+
#+ Check for IP Address Argument (exit if no IP is provided)
#+----------------------------------------------------------------------------+
if [ -z "${ipAddress}" ]; then
    echo "No IP Provided."
    exit 1
fi

#+----------------------------------------------------------------------------+
#+ Temporarily Disable ufw
#+----------------------------------------------------------------------------+
sudo ufw --force disable

#+----------------------------------------------------------------------------+
#+ Reset the Firewall Rules for ufw (clears all active rules)
#+----------------------------------------------------------------------------+
sudo ufw --force reset

#+----------------------------------------------------------------------------+
#+ Set Defaults for ufw
#+----------------------------------------------------------------------------+
#+ We'll deny all incoming (except those we explicitly define below) and allow
#+ all outgoing connections.
#+----------------------------------------------------------------------------+
sudo ufw default deny incoming
sudo ufw default allow outgoing

#+----------------------------------------------------------------------------+
#+ Define Default ufw Rules
#+----------------------------------------------------------------------------+
sudo ufw allow from "${ipAddress}" to any port 22           # Only allow SSH access to your IP
sudo ufw allow from "${ipAddress}" to any port 8443         # UniFi access on Port 443 to your IP

#+----------------------------------------------------------------------------+
#+ Define Additional ufw Rules (any others you may need)
#+----------------------------------------------------------------------------+
#+ These are commented, so won't be active unless you remove the #
#+----------------------------------------------------------------------------+
# sudo ufw allow from 80/tcp
# sudo ufw allow from 443/tcp
# .... etc

#+----------------------------------------------------------------------------+
#+ Enable ufw
#+----------------------------------------------------------------------------+
sudo ufw --force enable

You’ll also want to give this execution permissions by running chmod +x /opt/ipupdate-remote.sh.

In the script above you’ll see Define Additional ufw Rules (any others you may need), this is where you can define any additional rules that you may need. By default, the above limits access to 22 (SSH) and 8443 (the default controller port).

If you accidentally lock yourself out, the console can be used to regain access since it operates over VNC (thus a block on port 22 will not lock you out of console).

All the best,

Jonathan Tittle Manager, Support

Hi Jon,

I stayed up late last night going over your OP and I came to the same conclusions. I now have a passwordless key and have allowed my custom ssh port to be accessed. I have adjusted the script, however I get the error:

"sudo: no tty present and no askpass program specified"

I can confirm that I can ssh from the VM to the server without needing a password by sshing manually.

I have them both setup (the local via a linux vm on windows 10). I can see it’s running but it’s not working and I have a feeling it’s to do with the local. How does the cron task access the server via the ssh login if no password is given in the script?

Also if my ip is now blocked from ssh access, surely the cron task can’t access the server?