#!/bin/bash
set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace

# Run after first reboot when firewalld and fail2ban are installed
systemctl enable --now firewalld

firewall-cmd --zone=internal --add-source=192.168.0.0/16 --add-source=172.16.0.0/12 --add-source=10.0.0.0/8 --permanent
firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=internal --add-service=dns --permanent
firewall-cmd --zone=internal --add-service=samba --permanent
firewall-cmd --zone=internal --add-port=5335/tcp --permanent
firewall-cmd --zone=internal --add-port=5335/udp --permanent
firewall-cmd --zone=internal --add-port=3129/tcp --permanent
firewall-cmd --zone=internal --add-port=3129/udp --permanent
firewall-cmd --zone=internal --add-port=9090/tcp --permanent
firewall-cmd --zone=internal --add-port=9090/udp --permanent
firewall-cmd --zone=internal --add-port=2222/tcp --permanent

firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --add-port=8080/udp --permanent
firewall-cmd --add-port=4443/tcp --permanent
firewall-cmd --add-port=4443/udp --permanent
firewall-cmd --add-port=6881/tcp --permanent
firewall-cmd --zone=internal --add-service=http --permanent
firewall-cmd --zone=internal --add-service=https --permanent
firewall-cmd --zone=internal --add-port=8080/tcp --permanent
firewall-cmd --zone=internal --add-port=8080/udp --permanent
firewall-cmd --zone=internal --add-port=4443/tcp --permanent
firewall-cmd --zone=internal --add-port=4443/udp --permanent
firewall-cmd --zone=internal --add-port=6881/tcp --permanent

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
firewall-cmd --add-forward-port=port=80:proto=udp:toport=8080 --permanent
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=4443 --permanent
firewall-cmd --add-forward-port=port=443:proto=udp:toport=4443 --permanent
firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
firewall-cmd --zone=internal --add-forward-port=port=80:proto=udp:toport=8080 --permanent
firewall-cmd --zone=internal --add-forward-port=port=443:proto=tcp:toport=4443 --permanent
firewall-cmd --zone=internal --add-forward-port=port=443:proto=udp:toport=4443 --permanent

firewall-cmd --reload

mv /root/jail.local /etc/fail2ban/jail.local
restorecon -v /etc/fail2ban/jail.local

systemctl enable --now fail2ban