Sunday, January 14, 2018

Ubiquiti Unifi Controller on Ubuntu LTS

Plenty of stuff you can find on the internet.
But for my own references:

Basic Ubuntu LTS installation.
If you’re on a public ip, first get your firewall in order. Then install Unifi.

Firewall
Make sure you’re root (sudo -s), then:

apt-get install netfilter-persistent
service netfilter-persistent start
invoke-rc.d netfilter-persistent save
mkdir /etc/iptables/

In this example:
1.2.3.4 = trusted machine that is allowed to connect to the Unifi controller. Probably your own pc
4.5.6.7 = site 1 with AP’s and other ubiquiti stuff
6.7.8.9 = site 2 with AP’s and other ubiquiti stuff

Ports tcp/8080 and udp/3478 are all you need between your ubiquiti equipment and your controller (see link)

Save the following to firewall.sh and execute (replace ip’s with real ip’s):

#!/bin/bash

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# Exceptions to default policy
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT        # FOR INITIATED CONNECTIONS FROM THIS HOST
iptables -A INPUT -i lo -j ACCEPT                                       # MUSTHAVE (e.g. for MongoDB bind to localhost)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT                           # SSH
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT                       # PING

# unify test
iptables -A INPUT -p tcp --dport 8443 -s 1.2.3.4 -j ACCEPT       # Connections from management host

iptables -A INPUT -p tcp --dport 8080 -s 4.5.6.7 -j ACCEPT       # UNIFI - INFORM - site1
iptables -A INPUT -p udp --dport 3478 -s 4.5.6.7 -j ACCEPT       # UNIFI - STUN   - site1
iptables -A INPUT -p tcp --dport 8080 -s 6.7.8.9 -j ACCEPT        # UNIFI - INFORM - site2
iptables -A INPUT -p udp --dport 3478 -s 6.7.8.9 -j ACCEPT        # UNIFI - STUN   - site2

# Make persistent
iptables-save >/etc/iptables/rules.v4

Install Unifi
Make sure you’re root (sudo -s), then:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
apt-get update
apt-get install unifi

.. last but not least, go to: https://ipaddress:8443/