UniFi OS persistent NAT modification service
If you're like me, you'd like a way to persistently modify low-level UniFi OS networking. In my case, that's disabling IPv4 NAT, as UniFi provides no standard supported means to do this, and I have a fortigate firewall.
Simple bash script that disables NAT, and a systemd service definition that runs it.
Login to your UniFiOS device (e.g. UDM-pro) using ssh and perform the following steps:
-
Download and install the
natanator.shscript directly on your UniFiOS device via:wget -O /usr/local/bin/natanator.sh https://raw.githubusercontent.com/bprskalo/natanator/main/natanator.sh
chmod +x /usr/local/bin/natanator.sh
-
Download and install
natanator.servicedefinition file in/etc/systemd/systemvia:wget -O /etc/systemd/system/natanator.service https://raw.githubusercontent.com/bprskalo/natanator/main/natanator.service
chmod 755 /etc/systemd/system/natanator.service
-
Reload systemd, enable and start the service:
systemctl daemon-reload
systemctl enable natanator.servicesystemctl start natanator.service
-
Reboot and validate persistance.
To check the correct operation of the natanator service you can execute the following commands:
- Check
natanator.servicestatus via:which should then output something like:systemctl status natanator.service
● natanator.service - Natanator Loaded: loaded (/etc/systemd/system/natanator.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-03-08 10:56:35 PDT; 5s ago Main PID: 39805 (natanator.sh) Tasks: 2 (limit: 4725) Memory: 460.0K CPU: 5ms CGroup: /system.slice/natanator.service ├─39805 /bin/sh /usr/local/bin/natanator.sh └─39814 sleep 60 Mar 08 10:56:35 udm systemd[1]: Started Natanator. - Check correct removal of the NAT/MASQUERADING firewall rules via:
If correctly removed this command should NOT return any output
iptables -t nat -L UBIOS_POSTROUTING_USER_HOOK | grep "MASQUERADE .* UBIOS_.*ADDRv4_eth."
Original forked from jadedeane(https://github.com/jadedeane/natanator). Thanks to all contributors