DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
The above post was originally directed to me in a private message, so I'll take the liberty of being the first to respond.

I prefer KISS because of it's simplicity. For some people it may be too simple, because it doesn't automatically check for attacks and attempt to stop them.

The advantage of it is that it just works for me and for many others for whom I install it. It hasn't changed much in years, except to keep up with the names of the modules it has to check for, as the module names have been changed in various updated kernels.

I continue to maintain it and use it, and the up-to-date copies I maintain here should work on DirectAdmin servers. Note that you may need to make some changes depending on specific needs you have for certain ports to be open or closed, but the script is well documented and is easy to change.

It's a simple shell script and simply calls iptables. But for most of us it's much simpler than using either other firewall scripts or proramming iptables directly.

Note I did NOT have anything to do with writing it.

Jeff
 

walo

Verified User
Joined
Mar 19, 2005
Messages
162
i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.

Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start
There is no need to do this. Iptables will start with the same rules after reboot.
 

walo

Verified User
Joined
Mar 19, 2005
Messages
162
hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?
Kiss is just a script to handle iptables.
I recommend to use kiss on servers and an external hardware firewall for the hole network.
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
And how can i install it?
becasue on mr jlasman directory :

kiss.kernel-2.8.16-and-newer
kiss.older-master

no installer or sh file.

tnx
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.
But it only works on Linux. It won't work on FreeBSD. So if it were to be integrated into DirectAdmin it would require something else for FreeBSD and a bit more complexity in installing and maintaining DirectAdmin.
There is no need to do this. Iptables will start with the same rules after reboot.
I don't see any kiss in code to output the commands to the iptables files. Do you?

Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I install the file as /usr/local/sbin/kiss, not in a directory of that name.

Then I chmod it 700, and make sure the ownership is root.

Jeff
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Many VPS servers forward ethernet as a different name besides eth0. To find out what yours uses, run:
Code:
$ ifconfig
Jeff
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
[root@da bin]# kiss status
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# chown 700 kiss
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]#
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,310
Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!
Everywhere you see eth0 use venet0 instead.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!
Is iptables installed? Does it work?

Use my other version to see if that works. Otherwise you may be using a kernel with a completely different set of modules. In that case you'll either need to figure it out on your own, use a different firewall, or contract with someone to log into your server to fix it for you.

We can do that; however we do charge for the service.

Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Unfortunately I don't have IPv6 either in my office or my datacenter, so I can't test anything, and therefore I don't have the ability right now. I'll look into what I can do, but I have no idea how long it might take.

Are any of the firewalls currently used and discussed in these forums working yet with IPv6?

Jeff
 

AndriesLouw

Verified User
Joined
Jan 4, 2008
Messages
28
Location
Sneek, Netherlands
Currently I'm using the following script for IPv6, like I use KISS self:

Code:
#!/bin/sh -e
#
# Simple example IPv6 Firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the ip6tables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# description: Activates/Deactivates the firewall at boot time
#
# You should test this script before applying with safe-restart option
#

IP6TABLES=/sbin/ip6tables
#IP6TABLES="/sbin/ip6tables -i eth0"

[ -x "$IP6TABLES" ] || exit 1

# Inbound TCP ports
TCP_INPUT_PORTS="21 22 25 80 443"

# Inbound UDP ports
UDP_INPUT_PORTS=""

# Allowed ICMP messages
ALLOWED_ICMP="\
packet-too-big \
destination-unreachable \
time-exceeded parameter-problem \
echo-request \
echo-reply \
router-advertisement \
neighbour-solicitation \
neighbour-advertisement"

fw_start () {
# Allow related and established connection.
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP as defined in ALLOWED_ICMP
if [ -n "$ALLOWED_ICMP" ] ; then
 for ICMP_TYPE in $ALLOWED_ICMP; do
  $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
 done
fi

# Open allowed TCP ports if any
if [ -n "$TCP_INPUT_PORTS" ] ; then
 for PORT in $TCP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p tcp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Open allowed UDP ports if any
if [ -n "$UDP_INPUT_PORTS" ] ; then
 for PORT in $UDP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p udp --dport ${PORT} \
  -j ACCEPT
 done
fi

$IP6TABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow traffic to the loopback (needed by some applications)
$IP6TABLES -A INPUT -i lo -j ACCEPT

# Log and drop all other packets.
$IP6TABLES -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A INPUT -j LOG
#$IP6TABLES -P INPUT DROP

# Los and drop all packet to be forwarded, we're not a router...
$IP6TABLES -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A FORWARD -j LOG
#$IP6TABLES -P FORWARD DROP

# We're not going to filter outgoing packets
# but you can if you're paranoid like I am...
$IP6TABLES -P OUTPUT ACCEPT
}

# fw_stop disables completely the firewall and reset all chains to
# the default policy ACCEPT
fw_stop () {
  $IP6TABLES -P INPUT ACCEPT
  $IP6TABLES -P FORWARD ACCEPT
  $IP6TABLES -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P PREROUTING ACCEPT
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT
  $IP6TABLES -t mangle -P INPUT ACCEPT
  $IP6TABLES -t mangle -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P FORWARD ACCEPT
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

# fw_clear remove the rule set from the firewall and keep the
# current default policy
fw_clear () {
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

case "$1" in
  start|restart)
    echo -n "Starting IPv6 firewall.."
    fw_clear
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping IPv6 firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing IPv6 firewall rules.."
    fw_clear
    echo "done."
    ;;
  test|safe-restart)
    echo -n "Safely restarting IPv6 firewall..."
    fw_clear
    fw_start
    test=""; read -t 10 -p "Is it still OK? " test ; \
    [ -z "$test" ] && fw_stop
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|safe-restart|clear}"
    exit 1
    ;;
esac

exit 0
But it is far from perfect, maybe someone could finish it..

P.S.: The safe-restart feature I use here, would be wonderful to have in KISS too!
 
Last edited:
Top