NOTE: Now that Yahoo has decided to close GeoCities, "KISS My Firewall" no longer has a home at http://www.geocities.com/steve93138/ - I have created this page as a new home.
Keep It Simple Stupid!
Updated to v2.2 on January 15, 2009
What is KISS My Firewall?KISS My Firewall is a FREE iptables script developed by Steve Eschweiler and is released into the public domain. You can use it for any purpose, commercial or otherwise, without restriction.
KISS My Firewall is designed for use on a typical web server and can usually be used right out of the box. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.
It was designed from the start for ease-of-use and installation. Unlike some firewall's, KISS My Firewall is contained entirely within one file. Blocking one or more IP addresses is simple and changes take effect by simply restarting the script.
KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications.
By default, the following ports are open on the INPUT chain: FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS, MySQL, Secure IMAP, Secure POP3, Ensim WEBppliance Basic/Pro, Webmin, and Plesk. Open ports on the OUTPUT chain include: FTP, SSH, SMTP, RDATE, WHOIS, DNS, HTTP, HTTPS, and OPENSRS.
KISS My Firewall can be configured to work with or without any port you choose and has support for trusted IP addresses and subnets. The firewall is also very easy to customize. It only takes a few changes to the variables to protect a dedicated DNS, MAIL, or FTP-only server.
Since KISS My Firewall uses stateful packet inspection as well as connection tracking, it does not need to explicitly open all of the unprivileged ports for passive mode FTP or port 20 for active mode FTP. This makes the host server much more secure. In addition, KISS My Firewall explicitly REJECTS port 113 (inetd) when needed.
HOW TO: Install KISS My Firewall
When logged in as root ( "su -" ), type:
cd /usr/bin
wget http://www.indotek.com/kiss/kiss-2.2.tar.gz
tar zxvf kiss-2.2.tar.gz
That's it! To get it running anywhere on the command line, you simply type:
kiss start
To stop the firewall, type:
kiss stop
To get status information, type:
kiss status
If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, simply restart KISS by typing:
kiss restart
Last, but not least, it is recommended that you configure the firewall to allow only for needed ports. Using trusted IP addresses/subnets is also recommended. These variables are located near the beginning of the /usr/bin/kiss file and are self-explanatory. Once you make changes, you should always restart KISS for the changes to take effect:
kiss restart
What's New in Version 2?
The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.
Happy Firewalling!