#!/usr/bin/env bash
#
# Replace firewalld with iptables on RHEL type systems
#
# SPDX-License-Identifier: MIT

function error_exit {
  echo "Trapped a kill signal, exiting."
  exit 1
}
trap error_exit SIGHUP SIGINT SIGTERM

if [[ ! -f /etc/sysconfig/iptables ]]; then
  echo "Adding basic IPv4 iptables config (SSH access only)..."
  cat << 'EOF' > /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
fi

if [[ ! -f /etc/sysconfig/ip6tables ]]; then
  echo "Adding basic IPv6 iptables config (SSH access only)..."
  cat << 'EOF' > /etc/sysconfig/ip6tables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF
fi

echo "Disabling firewalld and enabling iptables/ip6tables..."
yum -y install iptables-services && ( \
 systemctl stop firewalld && systemctl disable firewalld; \
 systemctl mask firewalld.service; \
 systemctl start iptables.service && systemctl enable iptables.service; \
 systemctl start ip6tables.service && systemctl enable ip6tables.service
)

exit 0