Hi
ufw
allows you to define IP ranges using CIDR, though the downside, in this case, would be that you’d be casting a wide net and anyone on the range would be able to access the login page for Unifi.
Example
ufw allow from 10.1.1.0/24 to any port 8443
This will allow any IP from 10.1.1.0
to 10.1.1.255
. You can cast it wider by moving up to a /16
(replacing the /24
), allowing access from 10.1.0.0
to 10.1.255.255
ufw allow from 10.1.0.0/16 to any port 8443
This will reduce the chances of you having to change the IP, though it won’t eliminate it–especially if your IP changes the entire range and you’re not aware of all ranges in use.
–
The better solution would be to use a shell script locally which pushes the change to your remote Droplet with the UniFi Controller installed. You’d need CRON and Bash locally to set this up. This could be done on a small raspberry pi or even a VM if you can run on locally.
Local Shell Script
This will be used to pull your current IP and pass it to the remote server so ufw
allows the correct IP through.
ipupdate-local.sh
#!/usr/bin/env bash
ipAddress=$(curl -s icanhazip.com)
ssh root@1.1.1.1 "/opt/ipupdate-remote.sh ${ipAddress}"
You’ll want to update the IP above (1.1.1.1
) to match your Droplet IP and then give the above script execution permissions using chmod +x ipupdate-local.sh
. This script can then be executed via CRON every N minutes using:
*/5 * * * * /path/to/ipupdate-local.sh
Remote Shell Script
This will be used to reset ufw
so that it uses the new IP passed through by ipupdate-local.sh
. If no IP is provided, it will exit (so the firewall rules aren’t reset and you’re not locked out).
/opt/ipupdate-remote.sh
#!/usr/bin/env bash
#+----------------------------------------------------------------------------+
#+ Define IP Address
#+----------------------------------------------------------------------------+
ipAddress="${1}"
#+----------------------------------------------------------------------------+
#+ Check for IP Address Argument (exit if no IP is provided)
#+----------------------------------------------------------------------------+
if [ -z "${ipAddress}" ]; then
echo "No IP Provided."
exit 1
fi
#+----------------------------------------------------------------------------+
#+ Temporarily Disable ufw
#+----------------------------------------------------------------------------+
sudo ufw --force disable
#+----------------------------------------------------------------------------+
#+ Reset the Firewall Rules for ufw (clears all active rules)
#+----------------------------------------------------------------------------+
sudo ufw --force reset
#+----------------------------------------------------------------------------+
#+ Set Defaults for ufw
#+----------------------------------------------------------------------------+
#+ We'll deny all incoming (except those we explicitly define below) and allow
#+ all outgoing connections.
#+----------------------------------------------------------------------------+
sudo ufw default deny incoming
sudo ufw default allow outgoing
#+----------------------------------------------------------------------------+
#+ Define Default ufw Rules
#+----------------------------------------------------------------------------+
sudo ufw allow from "${ipAddress}" to any port 22 # Only allow SSH access to your IP
sudo ufw allow from "${ipAddress}" to any port 8443 # UniFi access on Port 443 to your IP
#+----------------------------------------------------------------------------+
#+ Define Additional ufw Rules (any others you may need)
#+----------------------------------------------------------------------------+
#+ These are commented, so won't be active unless you remove the #
#+----------------------------------------------------------------------------+
# sudo ufw allow from 80/tcp
# sudo ufw allow from 443/tcp
# .... etc
#+----------------------------------------------------------------------------+
#+ Enable ufw
#+----------------------------------------------------------------------------+
sudo ufw --force enable
You’ll also want to give this execution permissions by running chmod +x /opt/ipupdate-remote.sh
.
In the script above you’ll see Define Additional ufw Rules (any others you may need)
, this is where you can define any additional rules that you may need. By default, the above limits access to 22 (SSH) and 8443 (the default controller port).
If you accidentally lock yourself out, the console can be used to regain access since it operates over VNC (thus a block on port 22 will not lock you out of console).
All the best,
Jonathan Tittle
Manager, Support