pcoeman
Verified User
Directadmin & KISS firewall on Debian 3.1
Sorry for my poor English.
Kiss is a script for running IPTables on a typical webserver. I did a few modifications to let it work on a debian system. Kiss homepage: http://www.geocities.com/steve93138/
I used theset DA-KISS firewall on Fedora Core 2 (or 3) & DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0 Howto's as start for running the KISS firewall on 2 of my Debian webservers. This Howto is nothing more than putting all the info found on several postings and the time I lost on configering it.
Get and install kiss:
I did what was written on the Kiss homepage:
Login into your server with ssh and get root.
When logged in as root ( "su -" ), type:
cd /usr/bin
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
tar zxvf kiss-2.0.1.tar.gz
DO NOT START KISS. The change is almost 100% that you are locked out of your server. The standard script IS NOT configured for working with Directadmin. Port 2222 is closed at this moment, just as port 22. So starting now lock port 2222 used by DA and port 22 used by SSH. If you have locked you out: by restarting the server (manual by pushing the reset button, a trouble ticket at your ISP helpdesk or using your APC or whatever remote power switch) your problem is gone.
The changes
Use your editor you like and edit /usr/bin/kiss.
Do a search and replace on .o and replace it by .ko. In the original script these filenames are used: ip_tables.o, ipt_state.o, ipt_multiport.o, etc. But on debian these files are named: ip_tables.ko, ipt_state.ko, ipt_multiport.ko, etc.
In top of the file you see:
##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 53 80 110 143 443 995 3306 8443 10000 19638"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"
In TCP_IN you see port 8443 for Plex and 10000 for webmin and 19638 for Webpliance control panels. Delete these and put 2222 for DA in that row. For now, also put port 22 in it for ssh access. Your file is now something as this:
##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 22 25 53 80 110 143 443 995 2222 3306"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"
Now we are doing a second search and replace. Search for
MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'` and replace it by
MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`
Save your work and close your editor. On the prompt type: kiss start
This workes fine for me.
Sorry for my poor English.
Kiss is a script for running IPTables on a typical webserver. I did a few modifications to let it work on a debian system. Kiss homepage: http://www.geocities.com/steve93138/
I used theset DA-KISS firewall on Fedora Core 2 (or 3) & DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0 Howto's as start for running the KISS firewall on 2 of my Debian webservers. This Howto is nothing more than putting all the info found on several postings and the time I lost on configering it.
Get and install kiss:
I did what was written on the Kiss homepage:
Login into your server with ssh and get root.
When logged in as root ( "su -" ), type:
cd /usr/bin
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
tar zxvf kiss-2.0.1.tar.gz
DO NOT START KISS. The change is almost 100% that you are locked out of your server. The standard script IS NOT configured for working with Directadmin. Port 2222 is closed at this moment, just as port 22. So starting now lock port 2222 used by DA and port 22 used by SSH. If you have locked you out: by restarting the server (manual by pushing the reset button, a trouble ticket at your ISP helpdesk or using your APC or whatever remote power switch) your problem is gone.
The changes
Use your editor you like and edit /usr/bin/kiss.
Do a search and replace on .o and replace it by .ko. In the original script these filenames are used: ip_tables.o, ipt_state.o, ipt_multiport.o, etc. But on debian these files are named: ip_tables.ko, ipt_state.ko, ipt_multiport.ko, etc.
In top of the file you see:
##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 53 80 110 143 443 995 3306 8443 10000 19638"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"
In TCP_IN you see port 8443 for Plex and 10000 for webmin and 19638 for Webpliance control panels. Delete these and put 2222 for DA in that row. For now, also put port 22 in it for ssh access. Your file is now something as this:
##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 22 25 53 80 110 143 443 995 2222 3306"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"
Now we are doing a second search and replace. Search for
MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'` and replace it by
MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`
Save your work and close your editor. On the prompt type: kiss start
This workes fine for me.