DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

[nimafire]

hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?

 

[nobaloney]

The above post was originally directed to me in a private message, so I'll take the liberty of being the first to respond.

I prefer KISS because of it's simplicity. For some people it may be too simple, because it doesn't automatically check for attacks and attempt to stop them.

The advantage of it is that it just works for me and for many others for whom I install it. It hasn't changed much in years, except to keep up with the names of the modules it has to check for, as the module names have been changed in various updated kernels.

I continue to maintain it and use it, and the up-to-date copies I maintain here should work on DirectAdmin servers. Note that you may need to make some changes depending on specific needs you have for certain ports to be open or closed, but the script is well documented and is easy to change.

It's a simple shell script and simply calls iptables. But for most of us it's much simpler than using either other firewall scripts or proramming iptables directly.

Note I did NOT have anything to do with writing it.

Jeff

 

[walo]

i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.

Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start

There is no need to do this. Iptables will start with the same rules after reboot.

 

[walo]

hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?

Kiss is just a script to handle iptables.
I recommend to use kiss on servers and an external hardware firewall for the hole network.

 

[nimafire]

And how can i install it?
becasue on mr jlasman directory :

kiss.kernel-2.8.16-and-newer
kiss.older-master

no installer or sh file.

tnx

 

[nobaloney]

i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.

But it only works on Linux. It won't work on FreeBSD. So if it were to be integrated into DirectAdmin it would require something else for FreeBSD and a bit more complexity in installing and maintaining DirectAdmin.

There is no need to do this. Iptables will start with the same rules after reboot.

I don't see any kiss in code to output the commands to the iptables files. Do you?

Jeff

 

[nobaloney]

And how can i install it?

Read the file. The top lines tell you how to install it.

Jeff

 

[nimafire]

Read the file. The top lines tell you how to install it.

Jeff

mkdir /usr/local/sbin/kiss
chmod 700 root:root /usr/local/sbin/kiss
wget http://www.nobaloney.net/downloads/kiss/kiss.kernel-2.8.16-and-newer

am i right?

 

[nobaloney]

I install the file as /usr/local/sbin/kiss, not in a directory of that name.

Then I chmod it 700, and make sure the ownership is root.

Jeff

 

[nimafire]

Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!

 

[nobaloney]

Many VPS servers forward ethernet as a different name besides eth0. To find out what yours uses, run:

$ ifconfig

Jeff

 

[nimafire]

[root@da bin]# kiss status
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# chown 700 kiss
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]#

 

[nobaloney]

Did you modify the permissions as shown at the top of my file?

Jeff

 

[nimafire]

now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!

 

[floyd]

Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!

Everywhere you see eth0 use venet0 instead.

 

[nobaloney]

now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Is iptables installed? Does it work?

Use my other version to see if that works. Otherwise you may be using a kernel with a completely different set of modules. In that case you'll either need to figure it out on your own, use a different firewall, or contract with someone to log into your server to fix it for you.

We can do that; however we do charge for the service.

Jeff

 

[AndriesLouw]

Jlasman: Could you create, or modify the existing DA-KISS, to support IPv6 (and specific ip6tables)?

 

[nobaloney]

Unfortunately I don't have IPv6 either in my office or my datacenter, so I can't test anything, and therefore I don't have the ability right now. I'll look into what I can do, but I have no idea how long it might take.

Are any of the firewalls currently used and discussed in these forums working yet with IPv6?

Jeff

 

[AndriesLouw]

Currently I'm using the following script for IPv6, like I use KISS self:

#!/bin/sh -e
#
# Simple example IPv6 Firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the ip6tables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# description: Activates/Deactivates the firewall at boot time
#
# You should test this script before applying with safe-restart option
#

IP6TABLES=/sbin/ip6tables
#IP6TABLES="/sbin/ip6tables -i eth0"

[ -x "$IP6TABLES" ] || exit 1

# Inbound TCP ports
TCP_INPUT_PORTS="21 22 25 80 443"

# Inbound UDP ports
UDP_INPUT_PORTS=""

# Allowed ICMP messages
ALLOWED_ICMP="\
packet-too-big \
destination-unreachable \
time-exceeded parameter-problem \
echo-request \
echo-reply \
router-advertisement \
neighbour-solicitation \
neighbour-advertisement"

fw_start () {
# Allow related and established connection.
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP as defined in ALLOWED_ICMP
if [ -n "$ALLOWED_ICMP" ] ; then
 for ICMP_TYPE in $ALLOWED_ICMP; do
  $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
 done
fi

# Open allowed TCP ports if any
if [ -n "$TCP_INPUT_PORTS" ] ; then
 for PORT in $TCP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p tcp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Open allowed UDP ports if any
if [ -n "$UDP_INPUT_PORTS" ] ; then
 for PORT in $UDP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p udp --dport ${PORT} \
  -j ACCEPT
 done
fi

$IP6TABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow traffic to the loopback (needed by some applications)
$IP6TABLES -A INPUT -i lo -j ACCEPT

# Log and drop all other packets.
$IP6TABLES -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A INPUT -j LOG
#$IP6TABLES -P INPUT DROP

# Los and drop all packet to be forwarded, we're not a router...
$IP6TABLES -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A FORWARD -j LOG
#$IP6TABLES -P FORWARD DROP

# We're not going to filter outgoing packets
# but you can if you're paranoid like I am...
$IP6TABLES -P OUTPUT ACCEPT
}

# fw_stop disables completely the firewall and reset all chains to
# the default policy ACCEPT
fw_stop () {
  $IP6TABLES -P INPUT ACCEPT
  $IP6TABLES -P FORWARD ACCEPT
  $IP6TABLES -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P PREROUTING ACCEPT
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT
  $IP6TABLES -t mangle -P INPUT ACCEPT
  $IP6TABLES -t mangle -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P FORWARD ACCEPT
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

# fw_clear remove the rule set from the firewall and keep the
# current default policy
fw_clear () {
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

case "$1" in
  start|restart)
    echo -n "Starting IPv6 firewall.."
    fw_clear
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping IPv6 firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing IPv6 firewall rules.."
    fw_clear
    echo "done."
    ;;
  test|safe-restart)
    echo -n "Safely restarting IPv6 firewall..."
    fw_clear
    fw_start
    test=""; read -t 10 -p "Is it still OK? " test ; \
    [ -z "$test" ] && fw_stop
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|safe-restart|clear}"
    exit 1
    ;;
esac

exit 0

But it is far from perfect, maybe someone could finish it..

P.S.: The safe-restart feature I use here, would be wonderful to have in KISS too!