From 33ed1fe1ab0141a5b2c52eadf82d10de8a608300 Mon Sep 17 00:00:00 2001
From: tengel <tengel@xyzzy.ee>
Date: Wed, 20 Mar 2024 11:28:46 -0500
Subject: [PATCH] adding fwd2iptables

---
 shell/fwd2iptables.sh | 55 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 shell/fwd2iptables.sh

diff --git a/shell/fwd2iptables.sh b/shell/fwd2iptables.sh
new file mode 100644
index 0000000..4838b66
--- /dev/null
+++ b/shell/fwd2iptables.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Replace firewalld with iptables on RHEL type systems
+#
+# SPDX-License-Identifier: MIT
+
+function error_exit {
+  echo "Trapped a kill signal, exiting."
+  exit 1
+}
+trap error_exit SIGHUP SIGINT SIGTERM
+
+if [[ ! -f /etc/sysconfig/iptables ]]; then
+  echo "Adding basic IPv4 iptables config (SSH access only)..."
+  cat << 'EOF' > /etc/sysconfig/iptables
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+fi
+
+if [[ ! -f /etc/sysconfig/ip6tables ]]; then
+  echo "Adding basic IPv6 iptables config (SSH access only)..."
+  cat << 'EOF' > /etc/sysconfig/ip6tables
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
+EOF
+fi
+
+echo "Disabling firewalld and enabling iptables/ip6tables..."
+yum -y install iptables-services && ( \
+ systemctl stop firewalld && systemctl disable firewalld; \
+ systemctl mask firewalld.service; \
+ systemctl start iptables.service && systemctl enable iptables.service; \
+ systemctl start ip6tables.service && systemctl enable ip6tables.service
+)
+
+exit 0