Thursday, 15 November 2007

How to install KISS Firewall

Brief Summary

KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.

KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications. Available at: http://www.geocities.com/steve93138/

What's New in Version 2?

The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.



HOW TO: Install KISS My Firewall

1) When logged in as root ( "su -" ), type:

2) cd /usr/bin

3) Download KISS firewall
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz

4) Extract it
tar zxvf kiss-2.0.1.tar.gz

If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, restart the firewall.

5) Editing the config
pico -w /usr/bin/kiss

You must change config from: NOTE see our Printer friendly version to avoid text wrapping!

# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

To:

# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

6) Cpanel Users Config - other users ignore this step
In the /usr/bin/kiss file scroll down until you see the line: TCP_IN and replace it with this.

TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306"

Now find the line that says TCP_OUT and replace it with this.

TCP_OUT="21 22 25 37 43 53 80 443 873 2089"

7) Save the changes and restart the firewall
Ctrl + X then Y

Restart KISS by typing:
kiss restart

That's it! You now have a nice IPtables firewall running that's easy to configure and use.

Firewall Commands
That's it! To get it running anywhere on the command line, you simply type:
kiss start

To stop the firewall, type:
kiss stop

To get status information, type:
kiss status

Restart KISS by typing:
kiss restart

9 comments:

Sabina said...

Great work.

Anonymous said...

well guys! after the latest self-governing [url=http://www.casinolasvegass.com]casino[/url] games like roulette and slots !after unmistakable the all chic release [url=http://www.casinolasvegass.com]online casino[/url] games at the all stylish www.casinolasvegass.com, the most trusted [url=http://www.casinolasvegass.com]online casinos[/url] on the entanglement! complicated our [url=http://www.casinolasvegass.com/download.html]free casino software download[/url] and bring impress upon the bacon money.
you can also charges other [url=http://sites.google.com/site/onlinecasinogames2010/]online casinos bonus[/url] . you should also check this [url=http://www.realcazinoz.com/fr]Casino en ligne[/url], [url=http://www.realcazinoz.com/it]Casino Online[/url] and [url=http://www.realcazinoz.com/es]casino en linea[/url] games. join the the largest [url=http://www.texasholdem-online-poker.com/]online poker[/url] room. check this new [url=http://www.realcazinoz.com/paypalcasino.htm]paypal casino[/url]. [url=http://www.ttittancasino.com]Online Casino Spiele[/url] , buy [url=http://www.web-house.co.il/acai-berry.htm]acai berry[/url] . [url=http://www.avi.vg/search2.php?a=sex4sexx&ser_key=bondage+]bondage[/url] [url=http://www.thecasino.co.il/ilcasino.htm]casino[/url] .

Anonymous said...

Hi other members, i would just like to make an introduction to everyone at www.blogger.com

Your forum is brilliant! Frequently when I visit forums, I just come across rubbish, but this time I was really surprised, finding a helpful forum containing good information.

Thanks people at www.blogger.com and keep this neat effort up?!?!

[URL=http://www.contemporary-furnishings.net]contemporary furnishings[/URL] [URL=http://www.finger-puppets.co.uk/shop]Hand Puppet [/URL] [URL=http://www.triciadouglasinteriors.co.uk/interior-design-barnsley] interior design barnsley [/URL] [URL=http://www.finger-puppets.co.uk/shop]Hand Puppets [/URL] [URL=http://www.triciadouglasinteriors.co.uk/interior-design-newcastle] interior designer newcastle [/URL]

Anonymous said...

Thank you, that was extremely valuable and interesting...I will be back again to read more on this topic.

Anonymous said...

Fantastic web site, I had not come across linuxsiraj.blogspot.com before in my searches!
Carry on the wonderful work!

Anonymous said...

Thanks for sharing this link, but unfortunately it seems to be down... Does anybody have a mirror or another source? Please reply to my post if you do!

I would appreciate if a staff member here at linuxsiraj.blogspot.com could post it.

Thanks,
Peter

Anonymous said...

Hello,

I have a question for the webmaster/admin here at linuxsiraj.blogspot.com.

May I use part of the information from this blog post above if I give a link back to this website?

Thanks,
Thomas

Anonymous said...

Hi,

Thanks for sharing this link - but unfortunately it seems to be down? Does anybody here at linuxsiraj.blogspot.com have a mirror or another source?


Thanks,
John

Anonymous said...

Hey,

Thanks for sharing this link - but unfortunately it seems to be not working? Does anybody here at linuxsiraj.blogspot.com have a mirror or another source?


Thanks,
Peter