SCRIPTS/setup-firewall.sh at master · AHarmlessPyro/SCRIPTS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env bash
set -euo pipefail

FORCE=0
for arg in "$@"; do
  case "$arg" in
    --force) FORCE=1 ;;
  esac
done

log() { echo "[setup-firewall] $*"; }
die() { log "ERROR: $*"; exit 1; }
trap 'die "failed at line ${LINENO} (exit $?)"' ERR

if [[ "${EUID}" -eq 0 ]]; then
  log "refusing to run as root/sudo. Run as a normal user; this step will use sudo internally as needed."
  exit 1
fi

if [[ ! -t 0 ]]; then
  log "stdin is not a TTY; skipping firewall setup."
  exit 0
fi

have_ufw=0
if command -v ufw >/dev/null 2>&1; then
  have_ufw=1
fi

if [[ "$FORCE" -eq 1 ]] || [[ "$have_ufw" -ne 1 ]]; then
  log "installing ufw"
  sudo apt-get update -y
  if [[ "$FORCE" -eq 1 ]]; then
    sudo apt-get install -y --reinstall ufw
  else
    sudo apt-get install -y ufw
  fi
fi

if ! command -v ufw >/dev/null 2>&1; then
  die "ufw not found after install"
fi

log "ensuring allow rules exist (all interfaces)"
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp
sudo ufw allow 2222/tcp

log "enabling ufw (if not already enabled)"
ufw_status=""
if ufw_status="$(sudo ufw status 2>/dev/null)"; then
  :
else
  die "failed to read ufw status"
fi

is_active=0
if [[ "$ufw_status" == Status:\ active* ]]; then
  is_active=1
fi

if [[ "$is_active" -ne 1 ]] || [[ "$FORCE" -eq 1 ]]; then
  # --force avoids ufw's interactive "Proceed with operation (y|n)" prompt.
  sudo ufw --force enable
fi

log "ufw status:"
sudo ufw status verbose