DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

Which link?

I have a copy of Kiss specifically designed to work on DA servers in a hosting environment.

If enough people need it and can't get it from the original site, I'll post it on my download pages.

Jeff
 
Thanks , first post link is dead.

But i'm download file from rfxnetwork then install everythink ok.
 
i still have probs with ftping when kiss is running, in passive mode, what am i doing wrong?

PHP: 
##############################################################################
#
# Optional KISS Configuration Variables:
#
BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222 10000"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"
 
Kiss requires a module installed for your kernel:

if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o"
$MODPROBE ip_conntrack_ftp
fi

If ip_conntrack_ftp.o available for dynamic loading on your server?

Jeff
 
uhm, i think so?:
[root@server01 mysql]# locate ip_conntrack_ftp.o
/lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
[root@server01 mysql]#
 
At first glance I don't see any problem.

If you want a "free as in beer" solution you might want to post on a forum specializing in the kiss firewall, or contacting the author.

Of if you know or want to learn the details of iptables, you could try a good linux help group; isp-linux.com or isp-webhosting.com are probably good places to start.

Or perhaps use a consultant (hopefully one who guarantees results) to resolve the issue for you.

Jeff
 
Hi Jeff,

They are referring to the link in the first post to download the Kiss Firewall. The link is no longer valid.

Regards,
Onno
 
Has anyone found another location, or should I post it and change the first post?

Jeff
 
I found it at the original location here.

My version modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here.

Jeff
 
I should probably do a diff and figure out what's wrong with the original.

I guess I'll have to take the time unless you can tell me in a few words what the differences were.

Since I'm busy as a ... (well you know what I mean), can you ?

Thanks :)

Jeff
 
The problem is the links for ip_tables, ipt_state, ipt_multiport. In your script you test if modules exists and the links are ip_tables.o or ipt_state.o or ipt_multiport.o, but for run on fedora the links must be ip_tables.ko, ipt_state.ko and ipt_multiport.ko, and with that it's running. My modification is :

Code: 
 # Note: KISS requires that ip_tables, ipt_state, and ipt_multiport exist:
if [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!"
    exit 1
fi

# All is well, load modules:
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
    $MODPROBE iptable_filter
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
    $MODPROBE ipt_unclean
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
    $MODPROBE ipt_limit
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko" ]; then
    $MODPROBE ipt_LOG
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
    $MODPROBE ipt_REJECT
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
    $MODPROBE ip_conntrack
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
    $MODPROBE ip_conntrack_irc
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
    $MODPROBE ip_conntrack_ftp
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
    $MODPROBE iptable_mangle
fi

Sorry for my bad english, it's very difficult for me to explain that in english ;o). Thanks for your script jlasman. Bye.
 
It's not my script; I found it on the 'net after reading about it in these forums.

I made a few line changes.

Are you saying that by default Fedora doesn't load/install the proper kernel modules? That's the impression I get from your post.

I suppose I can try your fixes to see if they work with other flavors of Linux and if they do issue one fixed version, but I'd like to get your response first.

Thanks.

Jeff
 
You must log in or register to reply here.
Back
Top