How-to use KISS firewall on a Debian 3.1 server

Directadmin & KISS firewall on Debian 3.1

Sorry for my poor English.

Kiss is a script for running IPTables on a typical webserver. I did a few modifications to let it work on a debian system. Kiss homepage: http://www.geocities.com/steve93138/

I used theset DA-KISS firewall on Fedora Core 2 (or 3) & DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0 Howto's as start for running the KISS firewall on 2 of my Debian webservers. This Howto is nothing more than putting all the info found on several postings and the time I lost on configering it.


Get and install kiss:

I did what was written on the Kiss homepage:

Login into your server with ssh and get root.

When logged in as root ( "su -" ), type:
cd /usr/bin
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
tar zxvf kiss-2.0.1.tar.gz
DO NOT START KISS. The change is almost 100% that you are locked out of your server. The standard script IS NOT configured for working with Directadmin. Port 2222 is closed at this moment, just as port 22. So starting now lock port 2222 used by DA and port 22 used by SSH. If you have locked you out: by restarting the server (manual by pushing the reset button, a trouble ticket at your ISP helpdesk or using your APC or whatever remote power switch) your problem is gone.

The changes
Use your editor you like and edit /usr/bin/kiss.
Do a search and replace on .o and replace it by .ko. In the original script these filenames are used: ip_tables.o, ipt_state.o, ipt_multiport.o, etc. But on debian these files are named: ip_tables.ko, ipt_state.ko, ipt_multiport.ko, etc.

In top of the file you see:

##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 53 80 110 143 443 995 3306 8443 10000 19638"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"

In TCP_IN you see port 8443 for Plex and 10000 for webmin and 19638 for Webpliance control panels. Delete these and put 2222 for DA in that row. For now, also put port 22 in it for ssh access. Your file is now something as this:

##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 22 25 53 80 110 143 443 995 2222 3306"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"

Now we are doing a second search and replace. Search for
MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'` and replace it by
MAIN_IP=`ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{print $1}'`

Save your work and close your editor. On the prompt type: kiss start

This workes fine for me.

I did it like here above, and it looks like named gets blocked out when i start it. I cant acces domains but i can acces the ips really strange though

milan said:

I did it like here above, and it looks like named gets blocked out when i start it. I cant acces domains but i can acces the ips really strange though

Click to expand...

Hmmmm...

That's indeed a problem. Here it works on 2 servers. I put my complete working KISS script as a attach and mail it to you if you like.

pcoeman said:

Hmmmm...

That's indeed a problem. Here it works on 2 servers. I put my complete working KISS script as a attach and mail it to you if you like.

Click to expand...

as long as it doesnt contain hax

PM with email send

Does not work, It looks like that I am the only one having problems to view the websites. I thought it might be a cache problem of my pc. But on my notebook its the same.

When i open kiss.save i see this:

# All is well, load modules:
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o" ]; then
$MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.o" ];$
$MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o" ]; then
$MODPROBE ipt_state

Could it be the problem .o ?

In the kiss file it is .ko

Your system uses either .o or .ko.

Match kiss to what your system uses.

Jeff

jlasman said:

Your system uses either .o or .ko.

Match kiss to what your system uses.

Jeff

Click to expand...

I did that. But it looks like kiss doesnt run stable on my box.

kiss doesn run at all.

It's a script; it merely sets some iptables configuration options.

iptables is the userspace interface to the netfilter firewall built into the linux kernel.

So can you give more details of what's not stable about it?

Jeff

it looks like it locks my server down with the good settings.

It's supposed to lock your server down .

Are you using the one I posted on these forums?

What specifically isn't working if it's installed?

Jeff

It in 1st hand locks only me from some sites when i put it up. But if i do stop kiss and then visit all the sites myself after that i put it up then im able to visit all the sites.

I did this earlier this week at night, the next day i go to my server if it all runs okey but it seemed down (locked). Then I asked my isp to reboot the server, they reply that the server has been rebooted but that there was a problem to mount /home. So they booted without mount /home. Then i checked the stats and it showed the server went down after 5 am. 5 am is the time of the cornjob DA backup.

I isntalled kiss as the HOWTO.

Have you resolved the problem with the broken home partition yet?

Does your kiss file have the following lines:

If you use ModernBill you'll need these lines instead:


Note that you can determine what's being blocked, and unblock it by making changes to the kiss file and restarting kiss.

Jeff

Yes the /home is running fine again.
Now im not using modernbill but Accountlab Plus from www.netenberg.com I'll try your settings now.


that was in my file

I edited kiss with pico.

dedi80:/usr/bin# kiss start
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 224.0.0.0/4 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4
ACCEPT 2 -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 240.0.0.0/4 0.0.0.0/0
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
DROP all -- 192.0.2.0/24 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113 reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:2222
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:6277
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:10000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 85.92.130.192 state NEW tcp spts:1024:65535 dpt:22
ACCEPT icmp -- 0.0.0.0/0 85.92.130.192 state NEW icmp type 8

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:37
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:2222
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:6277
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:53


KISS My Firewall - Running!

dedi80:/usr/bin#

the wierd thing is i cant view some of the sites that the server is running.

www.helponline.biz
www.uzi2.com
www.poisonousx.com

i can view
www.host-innovation.com
www.noxiousx.com

Okey I was trying this again today. I did kiss start again and got the same problem. sites are nog been displayed. When I pinged my main ip via windows CMD it gave me the response results. Then I pinged my 2nd ip with gave no results. Could that be the problem?

We don't change the kiss file .

We just change one of those lines at the top to add/delete ports.

But that's just us; someone else may have a better answer for you.

Jeff

i am using afp now, i dont have any problem.

Hello,

I've got a problem, when i start kiss firewall on debian i've got this error :

Opening /proc/modules: No such file or directory
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Click to expand...

But ip_tables, ipt_state and ipt_multiport are installed. I don't understand what is the problem. Please help me. Thanks. Bye.

Are they in the /proc/modules directory? Or are they somewhere else?

If they're somewhere else change the kiss script to point to them.

Do not create links to or from anything under the /proc directory; it's NOT a real directory tree.

Jeff