KISS My Firewall 2

Keep It Simple Stupid!


Updated to v2.2 on January 15, 2009

What is KISS My Firewall?

KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.

It was designed from the start for ease-of-use and installation. Unlike some firewall's, KISS My Firewall is contained entirely within one file. Blocking one or more IP addresses is simple and changes take effect by simply restarting the script.

KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications.

By default, the following ports are open on the INPUT chain: FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS, MySQL, Secure IMAP, Secure POP3, Ensim WEBppliance Basic/Pro, Webmin, and Plesk. Open ports on the OUTPUT chain include: FTP, SSH, SMTP, RDATE, WHOIS, DNS, HTTP, HTTPS, and OPENSRS.

KISS My Firewall can be configured to work with or without any port you choose and has support for trusted IP addresses and subnets. The firewall is also very easy to customize. It only takes a few changes to the variables to protect a dedicated DNS, MAIL, or FTP-only server.

Since KISS My Firewall uses stateful packet inspection as well as connection tracking, it does not need to explicitly open all of the unprivileged ports for passive mode FTP or port 20 for active mode FTP. This makes the host server much more secure. In addition, KISS My Firewall explicitly REJECTS port 113 (inetd) when needed.


HOW TO: Install KISS My Firewall

When logged in as root ( "su -" ), type:

cd /usr/bin
tar zxvf kiss-2.2.tar.gz

That's it! To get it running anywhere on the command line, you simply type:

kiss start

To stop the firewall, type:

kiss stop

To get status information, type:

kiss status

If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, simply restart KISS by typing:

kiss restart

Last, but not least, it is recommended that you configure the firewall to allow only for needed ports. Using trusted IP addresses/subnets is also recommended. These variables are located near the beginning of the /usr/bin/kiss file and are self-explanatory. Once you make changes, you should always restart KISS for the changes to take effect:

kiss restart


What's New in Version 2?

The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.

Happy Firewalling!


Secure Online Backup provides a Secure Online Backup service.

Whether you need online backup for your Windows PC or your Windows 2003 Server or Windows 2008 Server, we have a plan that fits your needs.

Try it FREE today!