Vahid
August 9th, 2008, 14:48
Brief Summary
KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.
KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications. Available at: KISS My Firewall - iptables for a typical web server (http://www.geocities.com/steve93138/)
What's New in Version 2?
The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.
1
) When logged in as root ( "su -" ), type:
2) cd /usr/bin
3) Download KISS firewall
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
4) Extract it
tar zxvf kiss-2.0.1.tar.gz
If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, restart the firewall.
5) Editing the config
pico -w /usr/bin/kiss
You must change config from: NOTE see our Printer friendly version (http://www.webhostgear.com/index.php?print/id:87)to avoid text wrapping!
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
To: # Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
6) Cpanel Users Config - other users ignore this step
In the /usr/bin/kiss file scroll down until you see the line: TCP_IN and replace it with this.
TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306"
Now find the line that says TCP_OUT and replace it with this.
TCP_OUT="21 22 25 37 43 53 80 443 873 2089"
7) Save the changes and restart the firewall
Ctrl + X then Y
Restart KISS by typing:
kiss restart
That's it! You now have a nice IPtables firewall running that's easy to configure and use.
Firewall Commands
That's it! To get it running anywhere on the command line, you simply type:
kiss start
To stop the firewall, type:
kiss stop
To get status information, type:
kiss status
Restart KISS by typing:
kiss restart
KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.
KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications. Available at: KISS My Firewall - iptables for a typical web server (http://www.geocities.com/steve93138/)
What's New in Version 2?
The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.
1
) When logged in as root ( "su -" ), type:
2) cd /usr/bin
3) Download KISS firewall
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
4) Extract it
tar zxvf kiss-2.0.1.tar.gz
If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, restart the firewall.
5) Editing the config
pico -w /usr/bin/kiss
You must change config from: NOTE see our Printer friendly version (http://www.webhostgear.com/index.php?print/id:87)to avoid text wrapping!
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
To: # Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
6) Cpanel Users Config - other users ignore this step
In the /usr/bin/kiss file scroll down until you see the line: TCP_IN and replace it with this.
TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306"
Now find the line that says TCP_OUT and replace it with this.
TCP_OUT="21 22 25 37 43 53 80 443 873 2089"
7) Save the changes and restart the firewall
Ctrl + X then Y
Restart KISS by typing:
kiss restart
That's it! You now have a nice IPtables firewall running that's easy to configure and use.
Firewall Commands
That's it! To get it running anywhere on the command line, you simply type:
kiss start
To stop the firewall, type:
kiss stop
To get status information, type:
kiss status
Restart KISS by typing:
kiss restart