DA-KISS firewall on Fedora Core 2 (or 3)

[Aspegic]

Wanting to install a firewall on my server and after hunting the web for a couple of hours I came to the conclusion that KISS was probably the best way to go. Especially since the DA guys were kind enough to create a custom version especially for use with DirectAdmin.

There is a thread about running KISS on DirectAdmin here.
In that thread there is someone mentioning problems with installing KISS on Fedora Core 2 and 3 (aparently it runs fine on Core 1). The problem is that the KISS scripts ends with the following errormessage: "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!".
Unfortunately the thread ends without a solution to the problem.

After looking at the KISS script, the problem seems to be that it references the files ip_tables.o and ipt_state.o and ipt_multiport.o (located in /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter).

However, in Fedora Core 2 and 3 these files do not exists. There are however files named ip_tables.ko and ipt_state.ko and ipt_multiport.ko, so same filenames but different extensions (.ko vs .o).

Would it be enough to simply edit the KISS script and replace all reference to the .o files with .ko? Would that solve the problem?

 

[nobaloney]

It solves the problem on later versions of CentOS so it will probably solve it on later versions of Fedora.

It won't hurt to try.

Jeff

 

[Aspegic]

Thanks very much Jeff!

For future reference:

I finally got it working. There were 2 changes I had to make to the script:

1. change all references to .o files into .ko
2. change how the correct IP address is determined

On my system the command "ifconfig eth0" returns output like this:

eth0      Link encap:Ethernet  HWaddr 00:11:F2:B1:76:02
          inet addr:123.123.123.225  Bcast:123.123.123.255  Mask:255.255.255.0
          inet6 addr: 007b::112:3ffe:ffa3:603/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:127220 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93076 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11133911 (109.1 Mb)  TX bytes:26432390 (220.7 Mb)

so this line didn't work:

MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

I changed it into this:

MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`

and now it works.

Thanks again!

 

[nobaloney]

I changed it into this:

MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`

and now it works.

Weird, because both of your lines return exactly the same thing on the output you posted.

Jeff

 

[Aspegic]

If I use the original line:
MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`
I get the following error messages:

# kiss start
Bad argument `fe80'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `fe80'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `fe80'
Try `iptables -h' or 'iptables --help' for more information.

With the modified line:
MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`
everything works fine.

Weird, because both of your lines return exactly the same thing on the output you posted.

On my system they produce different results:

# ifconfig eth0 | grep inet | cut -d: -f2
[B][COLOR=darkblue]123.123.123.225  Bcast
 fe80[/COLOR][/B]
# ifconfig eth0 | grep "inet addr" | cut -d: -f2
[B][COLOR=darkblue]123.123.123.225  Bcast[/COLOR][/B]
#

Using the original line, grep will find two lines in the output of ifconfig that contain the word "inet". The second one is the line that starts with "inet6". It appears that this causes the script to fail to extract the correct IP address.

 

[nobaloney]

Yes; we don't configure the inet6 address.

I'll have to keep that in mind; it's the reason our system returns the same for both.

Should I update my kiss file?

Jeff

 

[Pate]

Thanks for your info, have DA-KISS up and running on CentOS 4.1 now.

Made the modifications you specified and thought I make the file available here:

http://dev.flummo.com/directadmin/kiss

Changes from Jeff's (jlasman) & KISS version:
- .o replaced by .ko
- grep "inet addr" instead of grep inet

All credit goes to jlasman, Aspegic and original author of KISS.

 

[nobaloney]

Great .

May I post this copy on my download pages?

Jeff

 

[Pate]

Ofcourse!

While I got your attention; I had some issues with your KISS file bad interpreter: No such file or directory). It seems you been editing it in windows and forgot to save it in unix format. I ran dos2unix on it wich solved it.

 

[nobaloney]

Ofcourse!

Thanks. WIll do.

It seems you been editing it in windows and forgot to save it in unix format. I ran dos2unix on it which solved it.

Very interesting, since I don't run Windows. (I do have one running Windows system, which I occasionally use at home, but my work desktop systems are either running RHL9 or Mandriva 2005 LE.

Additionally I just logged on to the server and checked:

[root@da1 kiss]# ls -al
total 28
drwxr-xr-x    2 nobalone nobalone     4096 Apr 25 18:08 .
drwxr-xr-x   15 nobalone nobalone     4096 Aug  8 18:33 ..
-rw-r--r--    1 nobalone nobalone    17272 Apr 25 18:06 kiss
[root@da1 kiss]# cp kiss kiss.test
[root@da1 kiss]# dos2unix kiss.test
dos2unix: converting file kiss.test to UNIX format ...
[root@da1 kiss]# ls -al
total 48
drwxr-xr-x    2 nobalone nobalone     4096 Aug 30 11:29 .
drwxr-xr-x   15 nobalone nobalone     4096 Aug  8 18:33 ..
-rw-r--r--    1 nobalone nobalone    17272 Apr 25 18:06 kiss
-rw-------    1 root     root        17272 Aug 30 11:29 kiss.test
[root@da1 kiss]# diff kiss kiss.test
[root@da1 kiss]#

If you follow it you'll see that I made a copy of kiss in the download section, and then ran dos2unix on it, and then did a diff on the two files. They're both the same, which means that dos2unix didn't make any changes.

Might it have had something to do with your download?

Weird.

Jeff

 

[Pate]

Must have been my download then. Just thought it was your file since I noticed some other guys also having same issues with that file in the other thread.

 

[Avenueduweb]

so this line didn't work:

MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

I changed it into this:

MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`

and now it works.

Hello,

The script doesn't run with fedora 3 with this modification, but if I don't modify this line and I modify only the .o it's run. Bye.

 

[hkivan]

I still get not get the meaning of "1. change all references to .o files into .ko"


Does anyone can teach me , how can i get or download the kiss - Fedora3 version , because i find that kiss can not work with Fedora2 and Fedora3 system .

 

[Aspegic]

For example, in the default KISS script you will find the following line (near line 143):

if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o" ]; then

you change this into:

if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then

You do this for every line in the script where you find a filename with the extension .o and change that into .ko
That´s because these files have a different filename extension in Fedora Core (as well as some other flavors of linux) as they do for other distros. The files are the same, they just have different extensions. That´s all there is to it.

 

[sky]

Thx for that
Very simple quick and usefull

 

[hkivan]

I have followed the instruction ... but it showed :
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!


Does anyone can share Kiss ( for fedora Core 3 ) version to let me download ?

 

[Remco00]

kiss: removing port 22

In your script port 22 (SSH) is still open for everybody. To be on the safe side: can I just remove this portnumber in the line TCP_IN, together with filling in my own static IP adress so it looks like this:

TCP_IN="20 21 25 53 80 110 123 143 443 2222 3306 6277 8443 10000"
TCP_OUT="20 21 22 25 37 43 53 80 113 443 3306 6277"

UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="myipadress"
SERVER_IPS="0.0.0.0/0"

 

[nobaloney]

Be very careful if you only allow SSH for certain IP#s.

Most ISPs don't give static IP#s, but rather dynamic IP#s that don't change often.

But when they do you can no longer reach your server by SSH.

We did it up until a few years ago when our local ISP changed our IP#s one day with no warning.

Jeff

 

[fjanusas]

Hey guys I just wanted to let everyone know that after the install of the firewall i was coming across a problem with the script. I was getting a :

line 1: ifconfig: command not found
Could not determine MAIN_IP. Firewall script aborted!

This is on CentOS 3.4 so to correct the problem changed this line in the script

MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`

to:

MAIN_IP=`/sbin/ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`


Hope this helps someone out

 

[Arkaos]

In server ip's do u seperate the ip's with a space or something else?

I tried using a space and it says bad command when it reaches my second ip i added

Nick