36 lines
753 B
Bash
36 lines
753 B
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if ! command -v ufw >/dev/null 2>&1; then
|
|
echo "ufw is not installed on this host."
|
|
exit 1
|
|
fi
|
|
|
|
SSH_ALLOW_CIDR="${SSH_ALLOW_CIDR:-}"
|
|
DRY_RUN="${DRY_RUN:-1}"
|
|
|
|
if [[ -z "$SSH_ALLOW_CIDR" ]]; then
|
|
echo "SSH_ALLOW_CIDR is required (example: SSH_ALLOW_CIDR=203.0.113.10/32)."
|
|
exit 1
|
|
fi
|
|
|
|
run_cmd() {
|
|
if [[ "$DRY_RUN" == "1" ]]; then
|
|
echo "+ $*"
|
|
else
|
|
"$@"
|
|
fi
|
|
}
|
|
|
|
echo "Applying UFW baseline policy (DRY_RUN=$DRY_RUN)..."
|
|
run_cmd ufw --force reset
|
|
run_cmd ufw default deny incoming
|
|
run_cmd ufw default allow outgoing
|
|
run_cmd ufw allow from "$SSH_ALLOW_CIDR" to any port 22 proto tcp
|
|
run_cmd ufw allow 80/tcp
|
|
run_cmd ufw allow 443/tcp
|
|
run_cmd ufw --force enable
|
|
run_cmd ufw status verbose
|
|
|
|
echo "Done."
|