Last active
May 17, 2021 20:08
-
-
Save lsjostro/08c6a835eb310a935c7cd37b1331e4c5 to your computer and use it in GitHub Desktop.
Allow GoogleIPs to access HTTPS through UGS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
run="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper" | |
# Skapa först en tom grupp Unifi WebUI:et av typen ipv4 som heter GoogleIPs | |
real_list=$(grep -B1 GoogleIPs /config/config.boot | head -n 1| awk '{print $2}') | |
ipset_list='temporary-list' | |
sudo /sbin/ipset -! destroy $ipset_list | |
sudo /sbin/ipset create $ipset_list hash:net | |
curl -s https://www.gstatic.com/ipranges/goog.json | jq -r '.prefixes | .[].ipv4Prefix| select( . != null )' \ | |
| xargs -n1 sudo ipset -q add $ipset_list | |
sudo /sbin/ipset swap $ipset_list $real_list | |
sudo /sbin/ipset destroy $ipset_list | |
$run begin | |
# Create the firewall rule to only allow google IPs to be able to access HA | |
$run set firewall name WAN_IN rule 4000 action accept | |
$run set firewall name WAN_IN rule 4000 description https | |
$run set firewall name WAN_IN rule 4000 destination port 443 | |
$run set firewall name WAN_IN rule 4000 destination address 192.168.1.100 | |
$run set firewall name WAN_IN rule 4000 source group address-group $real_list | |
$run set firewall name WAN_IN rule 4000 protocol tcp | |
# Create the NAT rule for port forwarding | |
$run set service nat rule 4001 description https_external | |
$run set service nat rule 4001 destination group address-group ADDRv4_eth0 | |
$run set service nat rule 4001 destination port 443 | |
$run set service nat rule 4001 inbound-interface eth0 | |
$run set service nat rule 4001 inside-address address 192.168.1.100 | |
$run set service nat rule 4001 inside-address port 443 | |
$run set service nat rule 4001 protocol tcp | |
$run set service nat rule 4001 type destination | |
$run set service nat rule 4002 description https_internal | |
$run set service nat rule 4002 destination group address-group ADDRv4_eth0 | |
$run set service nat rule 4002 destination port 443 | |
$run set service nat rule 4002 inbound-interface eth1 | |
$run set service nat rule 4002 inside-address address 192.168.1.100 | |
$run set service nat rule 4002 inside-address port 443 | |
$run set service nat rule 4002 protocol tcp | |
$run set service nat rule 4002 type destination | |
$run set service nat rule 5500 description port_forward_https_internal_same_subnet | |
$run set service nat rule 5500 destination address 192.168.1.100 | |
$run set service nat rule 5500 destination port 443 | |
$run set service nat rule 5500 outbound-interface eth1 | |
$run set service nat rule 5500 protocol tcp | |
$run set service nat rule 5500 type masquerade | |
$run commit | |
$run end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment