55 lines
1.6 KiB
Bash
Executable file
55 lines
1.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# Replace firewalld with iptables on RHEL type systems
|
|
#
|
|
# SPDX-License-Identifier: MIT
|
|
|
|
function error_exit {
|
|
echo "Trapped a kill signal, exiting."
|
|
exit 1
|
|
}
|
|
trap error_exit SIGHUP SIGINT SIGTERM
|
|
|
|
if [[ ! -f /etc/sysconfig/iptables ]]; then
|
|
echo "Adding basic IPv4 iptables config (SSH access only)..."
|
|
cat << 'EOF' > /etc/sysconfig/iptables
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|
|
EOF
|
|
fi
|
|
|
|
if [[ ! -f /etc/sysconfig/ip6tables ]]; then
|
|
echo "Adding basic IPv6 iptables config (SSH access only)..."
|
|
cat << 'EOF' > /etc/sysconfig/ip6tables
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -p ipv6-icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
|
COMMIT
|
|
EOF
|
|
fi
|
|
|
|
echo "Disabling firewalld and enabling iptables/ip6tables..."
|
|
yum -y install iptables-services && ( \
|
|
systemctl stop firewalld && systemctl disable firewalld; \
|
|
systemctl mask firewalld.service; \
|
|
systemctl start iptables.service && systemctl enable iptables.service; \
|
|
systemctl start ip6tables.service && systemctl enable ip6tables.service
|
|
)
|
|
|
|
exit 0
|