====== Ubiquiti - Controller - Install Controller on Ubuntu 20.04 ======

===== Bash Install Script =====

<file bash>
# Scripted install of Unifi Server App on Ubuntu - recommended!
apt-get update; apt-get install ca-certificates wget -y
rm unifi-latest.sh &> /dev/null; wget https://get.glennr.nl/unifi/install/install_latest/unifi-latest.sh && bash unifi-latest.sh
 
# Enable automatic startup of Unifi controller service
sudo systemctl enable unifi
 
# For reference: how to disable auto-start
# sudo systemctl disable unifi
 
# Check if it's now auto-started upon reboots
systemctl is-enabled unifi
systemctl is-active unifi
 
# Manual install of Unifi Server App on Ubuntu - not 100% reliable
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg 
sudo apt-get update
sudo apt-get update && sudo apt-get install unifi -y
sudo service unifi start
 
# Change default port 8443 to 443
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
# sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # How to remove a firewall NAT rule
 
# Deal with port 80
#sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 # In case of reversal
 
### Save configs with persistency upon reboots ###
 
# Install iptables persistence
sudo apt-get install iptables-persistent -y
 
# How to manually call iptables-persistent app
# sudo dpkg-reconfigure iptables-persistent
 
# Set iptables and persistence to autostart
sudo systemctl enable iptables
sudo systemctl enable netfilter-persistent
 
# Check firewall rules
iptables -L -n
 
# If not using ufw to add set firewall rules, iptables can be edited directly with these commands
# It's advisable to use ufw as that is easier to admin
# Note that -I appends rule at the start of chain, whereas -A attaches it at the end
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT # Prevent issue with devices showing "Disconnected" after controller reboots
sudo iptables -I INPUT -p tcp --dport 8880 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 3478 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 10001 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 6666 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 47763 -j ACCEPT
 
# How to remove a rule
# sudo iptables -D INPUT -p tcp|udp --dport xxxx -j ACCEPT
 
# Save existing rules
# Dont do this: sudo /sbin/iptables-save > /etc/iptables/rules.v4
# ERROR: -bash: /etc/iptables/rules.v4: Permission denied
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"
</file>

---- 

===== Check status =====

<code bash>
systemctl status netfilter-persistent
</code>

returns:

<code bash>
● netfilter-persistent.service - netfilter persistent configuration
     Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/netfilter-persistent.service.d
             └─iptables.conf
     Active: failed (Result: exit-code) since Tue 2020-11-24 15:48:27 PST; 14min ago
       Docs: man:netfilter-persistent(8)
    Process: 494 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
   Main PID: 494 (code=exited, status=1/FAILURE)
 
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[504]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables >
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[507]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables >
</code>

----
 
===== Fix startup conflicts between iptables & netfilter-persistent =====

<code bash>
sudo systemctl edit netfilter-persistent.service
vim /etc/systemd/system/netfilter-persistent.service.d/iptables.conf
</code>

<file bash /etc/systemd/system/netfilter-persistent.service.d/iptables.conf>
### Verify this content ###
[Unit]
Conflicts=iptables.service ip6tables.service
 
### Modify content and save file ###
[Unit]
After=iptables.service ip6tables.service ufw.service
</file>

----
 
===== Check Firewall Rules =====

<code bash>
sudo iptables -L
sudo ip6tables -L
</code>

----

===== Optionally, disable ufw as it may conflict with iptables-persistent / netfilter-persistent =====

<code bash>
sudo ufw disable
</code>

----

===== Verify =====

Try to access the Unifi controller at both of these URLs:

  * https://ip.of.your.server:8443
  * https://ip.of.your.server

----

===== Backups =====

<WRAP info>
**NOTE:**  Backup files are normally found at: 

  * /usr/lib/unifi/data/backup/autobackup/ 
  * /usr/lib/unifi/data/backup/
</WRAP>


----

===== References =====

https://unifi.ui.com/

https://network.unifi.ui.com/

https://www.ui.com/download/unifi/

https://help.ui.com/hc/en-us/articles/204952144-UniFi-How-can-I-restore-a-backup-configuration-

https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776