#!/bin/bash
# fortress_setup_ubuntu.sh - secure SSH fortress on Ubuntu with UFW

set -e

bouncer_ip="38.102.127.173"

echo "Updating package lists..."
sudo apt update

echo "Installing UFW if not present..."
sudo apt install -y ufw

echo "Setting default UFW policies..."
sudo ufw default deny incoming
sudo ufw default allow outgoing

echo "Allowing SSH only from bouncer ($bouncer_ip)..."
sudo ufw allow from $bouncer_ip to any port 22 proto tcp comment 'Allow SSH from bouncer'

echo "Allowing inbound HTTP/HTTPS..."
sudo ufw allow 80/tcp comment 'Allow HTTP'
sudo ufw allow 443/tcp comment 'Allow HTTPS'

echo "Enabling UFW..."
sudo ufw --force enable

echo "UFW Status:"
sudo ufw status verbose

echo "SSH fortress is active! Only $bouncer_ip can connect via SSH."