How to Download and Upload Custom Script Firmware in UBNT AirOS 5 and AirOS 6
via IFTTT
I would like to share how to lock MAC address on LAN port and block other unwanted user traffic. Why to do that? I maintain wireless network where all stations are in bridge mode and users receive public IP address from "central" DHCP server. Sometimes we have difficulties when users connect switch and multiple PC on this switch or some unwanted devices to LAN port of station. They spend us a lot of public IP address. Second problem was users which accidentally connect CPE on LAN port and their DHCP start to deliver IP addresses to other users.
I solve this problem with custom script. I ASK a lot on forum but nobody give me right solution (I don't understand UBNT support but never mind...).
First connect to your station - use SSH
Then type
vi /etc/persistent/rc.poststart
press letter i (to insert text)
Copy this (before replace xx:xx:xx:xx:xx:xx with MAC address you would like to be locked on LAN port)
ebtables -F FORWARD
ebtables -A FORWARD -s xx:xx:xx:xx:xx:xx -i eth0 -j ACCEPT
ebtables -A FORWARD -i eth0 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --out-interface ath0 --ip-proto udp --ip-dport 68 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-src 172.16.0.0/12 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-dst 172.16.0.0/12 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-src 192.168.0.0/16 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-dst 192.168.0.0/16 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-src 169.254.0.0/16 -j DROP
ebtables -t filter -A FORWARD -p IPv4 --ip-dst 169.254.0.0/16 -j DROP
ebtables -t filter -A FORWARD -j FIREWALL
and paste in editor . Next step , press Escape, then type w, then type q, then type ! and press ENTER. You should be in prompt where you start. Type SAVE (small letters) and reboot.
You should see something like that:
XM.v5.6.3# save
Found Active on[1] ...
Found Backup1 on[2] ...
Storing Active[2] ... [%100]
Active->Backup[1] ... [%100]
XM.v5.6.3#reboot
After reboot you can check if rules was inserted in your ebtables. Type in
ebtables -L
You should see something like that:
XM.v5.6.3# ebtables -LBridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT-j FIREWALL
Bridge chain: FORWARD, entries: 10, policy: ACCEPT-s aa:bb:c:cc:e5:a1 -i eth0 -j ACCEPT-i eth0 -j DROP-p IPv4 -o ath0 --ip-proto udp --ip-dport 68 -j DROP-p IPv4 --ip-src 172.16.0.0/12 -j DROP-p IPv4 --ip-dst 172.16.0.0/12 -j DROP-p IPv4 --ip-src 192.168.0.0/16 -j DROP-p IPv4 --ip-dst 192.168.0.0/16 -j DROP-p IPv4 --ip-src 169.254.0.0/16 -j DROP-p IPv4 --ip-dst 169.254.0.0/16 -j DROP-j FIREWALL
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: FIREWALL, entries: 0, policy: ACCEPTXM.v5.6.3#
You can also check if access list work like you expect. To check counters type in
ebtables -L --Lc
XM.v5.6.3# ebtables -L --LcBridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT-j FIREWALL, pcnt = 1816356 -- bcnt = 106872059
Bridge chain: FORWARD, entries: 10, policy: ACCEPT-s aa:bb:c:cc:e5:a1 -i eth0 -j ACCEPT , pcnt = 222989 -- bcnt = 33630440-i eth0 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 -o ath0 --ip-proto udp --ip-dport 68 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 172.16.0.0/12 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-dst 172.16.0.0/12 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 192.168.0.0/16 -j DROP , pcnt = 809 -- bcnt = 37232-p IPv4 --ip-dst 192.168.0.0/16 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 169.254.0.0/16 -j DROP , pcnt = 40 -- bcnt = 4089-p IPv4 --ip-dst 169.254.0.0/16 -j DROP , pcnt = 0 -- bcnt = 0-j FIREWALL, pcnt = 2123462 -- bcnt = 436597110
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: FIREWALL, entries: 0, policy: ACCEPT
I hope this will help for someone.
I would like to invite others if they also could share some usefull scripts.
Credit : Boris
_____________________________________________________________________________
You can find airOS M builds that support custom (rc) scripts here. Moving forward all builds with "cs" in the name (custom script) will have support for custom scripts. If using a previous with -CS support, you can upgrade via Check for update function and maintain -CS support.
Custom scripts allow for users to add functionality to airOS, but also allow for persistence of malicious software. "cs" versions of airOS should be considered slightly less secure vs non-cs releases found on https://download.ubnt.com.
6.3.2
TI.v6.3.2-cs.33267.200715.1557.bin
XM.v6.3.2-cs.33267.200715.1657.bin
XW.v6.3.2-cs.33267.200715.1627.bin
You can find airMAX AC custom script builds HERE.
Previous Versions:
6.3.0
TI.v6.3.0-cs.33226.200428.1749.bin
XM.v6.3.0-cs.33226.200428.1849.bin
XW.v6.3.0-cs.33226.200428.1819.bin
6.2.0
TI.v6.2.0-cs.33033.190703.1047.bin
XM.v6.2.0-cs.33033.190703.1147.bin
XW.v6.2.0-cs.33033.190703.1117.bin
6.1.12
TI.v6.1.12-cs.33003.190523.1224.bin
XM.v6.1.12-cs.33003.190523.1323.bin
XW.v6.1.12-cs.33003.190523.1253.bin
6.1.11:
TI.v6.1.11-cs.32949.190328.1056.bin
XM.v6.1.11-cs.32949.190328.1126.bin
XW.v6.1.11-cs.32949.190328.1111.bin
6.1.9:
TI.v6.1.9-cs.32918.190108.1723.bin
XM.v6.1.9-cs.32918.190108.1752.bin
XW.v6.1.9-cs.32918.190108.1737.bin
6.1.8:
TI.v6.1.8-cs.32774.180921.1503.bin
XM.v6.1.8-cs.32774.180921.1533.bin
XW.v6.1.8-cs.32774.180921.1518.bin
6.1.7:
TI.v6.1.7-cs.32555.180523.1740.bin
XM.v6.1.7-cs.32555.180523.1809.bin
XW.v6.1.7-cs.32555.180523.1754.bin
6.1.6:
TI.v6.1.6-cs.32290.180307.1621.bin
XM.v6.1.6-cs.32290.180307.1650.bin
XW.v6.1.6-cs.32290.180307.1635.bin
6.1.4:
TI.v6.1.4-cs.32113.180112.0903.bin
XM.v6.1.4-cs.32113.180112.0932.bin
XW.v6.1.4-cs.32113.180112.0918.bin
6.1.3:
TI.v6.1.3-cs.31939.171117.1209.bin
XM.v6.1.3-cs.31939.171117.1238.bin
XW.v6.1.3-cs.31939.171117.1223.bin
6.1.2:
TI.v6.1.2-cs.31825.171017.1618.bin
XM.v6.1.2-cs.31825.171017.1648.bin
XW.v6.1.2-cs.31825.171017.1633.bin
6.1.1:
TI.v6.1.1-cs.31776.171010.0919.bin
XM.v6.1.1-cs.31776.171010.0940.bin
XW.v6.1.1-cs.31776.171006.1138.bin
6.1.0:
XW.v6.1.0-cs.31741.170929.1213.bin
6.0.7:
TI.v6.0.7-cs.31601.170908.1216.bin
XM.v6.0.7-cs.31601.170908.1247.bin
XW.v6.0.7-cs.31601.170908.1232.bin
6.0.4
TI.v6.0.4-cs.30805.170505.1456.bin
XM.v6.0.4-cs.30805.170505.1525.bin
XW.v6.0.4-cs.30805.170505.1510.bin
5.6.15
TI.v5.6.15-cs.30572.170328.1038.bin
XM.v5.6.15-cs.30572.170328.1107.bin
XM.v5.6.15-cpu400-cs.30572.170328.1107.bin
XW.v5.6.15-cs.30572.170328.1052.bin
6.0.3
TI.v6.0.3-cs.30600.170329.1803.bin
XM.v6.0.3-cs.30600.170329.1831.bin
XW.v6.0.3-cs.30600.170329.1817.bin
6.0.2
TI.v6.0.2-cs.30552.170327.1921.bin
XM.v6.0.2-cs.30552.170327.1950.bin
XW.v6.0.2-cs.30552.170327.1935.bin
6.0.1
https://dl.ubnt.com/custom/XW.v6.0.1-cs.30382.170317.1751.binhttps://dl.ubnt.com/custom/TI.v6.0.1-cs.30382.170317.1737.binhttps://dl.ubnt.com/custom/XM.v6.0.1-cs.30382.170317.1806.bin
https://dl.ubnt.com/custom/XM.v6.0.1-cpu400-cs.30382.170317.1806.bin
6.0
https://dl.ubnt.com/XN-fw-internal/v6.0/TI.v6.0-cs.30097.161219.1655.binhttps://dl.ubnt.com/XN-fw-internal/v6.0/XW.v6.0-cs.30097.161219.1705.binhttps://dl.ubnt.com/XN-fw-internal/v6.0/XM.v6.0-cs.30097.161219.1716.bin
5.6.9
https://dl.ubnt.com/XN-fw-internal/v5.6.9/TI.v5.6.9-cs.29546.160819.1135.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cpu400-cs.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cpu400.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cs.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XW.v5.6.9-cs.29546.160819.1146.bin
5.6.8
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/TI.v5.6.8-cs.29413.160715.1551.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XM.v5.6.8-cpu400-cs.29413.160715.1613.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XW.v5.6.8-cs.29413.160715.1602.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XM.v5.6.8-cs.29413.160715.1613.bin
Signed Versions of previous releases 5.6.15/6.0.3/6.0.4 w/ CS support HERE
Post a Comment
0 Comments
Thanks for Comment. Please directly email us on [email protected]