DA & Firewall

[hawgjaw]

Hope this is in the right place guys first off, second what is the best free firewall to use on a redhat9.0 unix server with DA installed. Mines been hacked twice by those turkish hackers and wanna try and slow them down maybe. Thanks in advance also.

 

[DamnSkippy]

I use APF with BFD myself and KISS is popular. I think there are how-to post for both in forum.

 

[hehachris]

I use APF with BFD myself and KISS is popular. I think there are how-to post for both in forum.

you're right.

APF:
http://directadmin.com/forum/showthread.php?s=&threadid=4873&highlight=APF

kiss:
http://directadmin.com/forum/showthread.php?s=&threadid=1235&highlight=kiss

 

[intercybernet]

Thank You!

 

[hawgjaw]

Thanks to you both ill ck them out.

 

[Arkaos]

when trying to start KISS i get the following error

]# kiss restart
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

iptables is installed tho.

Any thoughts?

Cheers

Nick

 

[hawgjaw]

I got the same error trying Kiss but im not sure about the itables how did you install them?

 

[Arkaos]

iptables was already installed.

Using fedora if you do yum search iptables it will lots stuff within that search criteria and say if its its installed or not

 

[Arkaos]

iptables is definetely there along with modprobe and they are referenced correctly in KISS aswell

# locate /sbin/iptables
/sbin/iptables

# locate /sbin/modprobe
/sbin/modprobe

 

[hawgjaw]

Yes mine are there also now if we can just fix that error we would be good to go.

 

[Arkaos]

hawgjaw are you using fc5?

 

[Arkaos]

managed to get KISS working under FC5

Turns out ipt modules have changed from .o to .ko

Also ipt_state.o/ko has been removed and replaced with xt_state.


So to get KISS running do the following.

In kiss replace all modules that end .o to be .ko as below

# Note: KISS requires that ip_tables, ipt_state, and ipt_multiport exist:
if [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!"
    exit 1
fi

# All is well, load modules:
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
    $MODPROBE iptable_filter
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
    $MODPROBE ipt_unclean
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
    $MODPROBE ipt_limit
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko" ]; then
    $MODPROBE ipt_LOG
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
    $MODPROBE ipt_REJECT
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
    $MODPROBE ip_conntrack
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
    $MODPROBE ip_conntrack_irc
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
    $MODPROBE ip_conntrack_ftp
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
    $MODPROBE iptable_mangle
fi

You then need to create a symlink for ipt_state.ko as fc5 ( and some other OS's) now use xt_state instead.

Do the following

ln -s /lib/modules/$(uname -r)/kernel/net/netfilter/xt_state.ko /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko

You should then be able to use KISS.

The symlink also applies to APF aswell.

Nick

 

[hawgjaw]

No my fedora is at 2 still whats the easiest way to update it?

 

[Jackiegoal]

In addition to this: In Fedora Core 8, I also had to make a symlink for ipt_multiport, the same way as for ipt_state to get KISS to work.

 

[morfargekko]

I am running CSF and it works like a charm. http://www.configserver.com