#!/bin/bash # Fix UDM Pro Firewall Rules for Container Outbound Access # Adds allow rules for container IPs to access internet set -euo pipefail UDM_PRO_IP="192.168.11.1" UDM_PRO_USER="OQmQuS" UDM_PRO_PASS="m0MFXHdgMFKGB2l3bO4" CONTAINER_IPS=("192.168.11.166" "192.168.11.167") # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' echo "==========================================" echo "Fix UDM Pro Firewall for Container Access" echo "==========================================" echo "" # Note: UDM Pro firewall rules are typically managed via Web UI # This script provides diagnostic information and recommendations echo -e "${BLUE}Checking current firewall rules...${NC}" # Check FORWARD chain FORWARD_RULES=$(sshpass -p "$UDM_PRO_PASS" ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR ${UDM_PRO_USER}@${UDM_PRO_IP} \ "sudo iptables -L FORWARD -n -v --line-numbers 2>&1 | head -40" 2>&1) echo "FORWARD chain rules:" echo "$FORWARD_RULES" | head -20 # Check for deny rules DENY_RULES=$(echo "$FORWARD_RULES" | grep -E "DROP|REJECT" | head -5) if [ -n "$DENY_RULES" ]; then echo "" echo -e "${YELLOW}⚠️ Found deny rules that may block traffic:${NC}" echo "$DENY_RULES" fi # Check OUTPUT chain OUTPUT_RULES=$(sshpass -p "$UDM_PRO_PASS" ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR ${UDM_PRO_USER}@${UDM_PRO_IP} \ "sudo iptables -L OUTPUT -n -v --line-numbers 2>&1 | head -30" 2>&1) echo "" echo "OUTPUT chain rules:" echo "$OUTPUT_RULES" | head -20 # Check policy FORWARD_POLICY=$(sshpass -p "$UDM_PRO_PASS" ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR ${UDM_PRO_USER}@${UDM_PRO_IP} \ "sudo iptables -L FORWARD -n 2>&1 | grep 'Chain FORWARD' | grep -o 'policy [A-Z]*'" 2>&1) echo "" echo "FORWARD chain policy: $FORWARD_POLICY" if echo "$FORWARD_POLICY" | grep -q "DROP"; then echo -e "${RED}❌ FORWARD chain policy is DROP${NC}" echo "This will block all forwarded traffic unless explicitly allowed" echo "" echo "Solution: Add allow rules in UDM Pro Web UI:" echo " 1. Settings → Firewall & Security → Firewall Rules" echo " 2. Add rule: Allow outbound from 192.168.11.166/167" echo " 3. Place rule BEFORE any deny rules" else echo -e "${GREEN}✅ FORWARD chain policy allows traffic${NC}" fi echo "" echo "==========================================" echo "UDM Pro Firewall Fix Instructions" echo "==========================================" echo "" echo "To fix outbound internet access for containers:" echo "" echo "1. Access UDM Pro Web UI: https://192.168.11.1" echo "" echo "2. Go to: Settings → Firewall & Security → Firewall Rules" echo "" echo "3. Add new rule:" echo " - Name: Allow Container Outbound" echo " - Action: Accept" echo " - Source: 192.168.11.166, 192.168.11.167" echo " - Destination: Any" echo " - Protocol: Any" echo " - Port: Any" echo "" echo "4. Ensure rule is placed BEFORE any deny rules" echo "" echo "5. Save and wait 30 seconds" echo "" echo "Note: UDM Pro may require rules to be added via Web UI" echo " Direct iptables changes may not persist" echo ""