DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

Hi,

I changed it to:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

##############################################################################



Kiss stop then start

I can still only ping MAIN Server IP, but the 2 DNS Ips and dedicated IPs i can't ping.

Any ideas? :confused:
 
Are you trying to ping your main ip or an additional IP?

Also make sure you dont have outgoing pings blocked on the machine you're pinging from.

Chris
 
Hi,

I can ping the main IP fine, i just want to be able to ping additional ips on server such as the ips used for separate accounts, dns ips etc..

:)
 
Replace the 1 line i specified above with:

Code: 
for serverips in $SERVER_IPS; do
        $IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

Let me know if it works ok :)

Chris
 
ProWebUK said:
Replace the 1 line i specified above with:

Code: 
for serverips in $SERVER_IPS; do
        $IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

Let me know if it works ok :)

Chris
Click to expand...

I did:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

##############################################################################

Still nothing :\
 
Can you ping these IPs when KISS is disabled, can you access the IPs through http or any other protocol?

The IPs you want are listed in your SERVER_IPS variable aswell?

Chris
 
I can ping all ips when kiss is off
I can ping main ip only when kiss is on

I can access all ips via http,

The IPs you want are listed in your SERVER_IPS variable aswell?
Click to expand...

All ips are added inside DA and 1 is main, 2 are DNS, 1 is dedicated ip for a site, 5th one is just not used.
 
At the top of the KISS file you should see a line

SERVER_IPS="0.0.0.0/0"

add your server ips there, seperated by a space "1.2.3.4 1.2.3.4"

Chris
 
k, i added ips and also:

# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT



Now i ping again, still wont work. :confused:
It's no big deal if there aren't any fix for it I'll just live with it.
 
Once you add them to the SERVER_IPS variable use the 3 line script i provided rather than the other...

for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Chris
 
great, working now.

One more thing, now when i start kiss i get an error:

kiss start
/usr/bin/kiss: line 469: NEW: command not found


Any idea?
 
pico -w +469

Paste that line and a few lines above it...

from the sounds of things you have added:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT

rather than 1 line as it should be:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

since the error says its trying to execute the command "NEW" which of course is just part of the --state flag used by iptables, not a bash command.

Chris
 
if i use the default config, and don't add to /etc/rc.d/rc.local i will never be locked out of my box?
 
You should never be locked out of your box unless you take ssh out of the allowed ports, add your own IP to the blocklist or remove all IPs from the allowed IP list.

If you have SSH running on another port you will need to configure it, since its only allowing port 22 for SSH as default.

Chris
 
so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?
-TCP_IN="21 25 53 80 110 143 443 2222"
?
-TCP_OUT="21 22 25 37 43 53 80 443"
?
-UDP_IN="53"
?
-UDP_OUT="53"
?
-TCP_IN_TRUSTED="22"
?
-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static)

-SERVER_IPS="0.0.0.0/0"
?
 
sander815 said:
so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?

-TCP_IN="21 25 53 80 110 143 443 2222"
TCP Inbound ports

-TCP_OUT="21 22 25 37 43 53 80 443"
TCP Outbound ports

-UDP_IN="53"
UDP Inbound ports

-UDP_OUT="53"
UDP Outbound ports

-TCP_IN_TRUSTED="22"
TCP Inbound ports only accessable by IP addresses listed in the TRUSTED_IPS var (22 - ssh)

-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static) Yes, or leave the current option to allow all IP addresses to connect

-SERVER_IPS="0.0.0.0/0"
All the IP addresses bound to your system can be listed here, although the current option works fine unless you want pings etc as discussed above.


?
Click to expand...

All in the quote :)

Chris
 
is there an option to see KISS is working OK like an online scanner ore something?

I doesent link new not welcome visits...
 
ping / telnet

"I doesent link new not welcome visits..."

What do you mean?

Chris
 
@ ProWebUK: I send a PM

To close an port on what option do I need to add it?
Or can I remove the port number on:
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"

I don`t use 443, so I linke to close that port
 
You must log in or register to reply here.
Back
Top