Re: General MoBlock thread
Sadly, moblock-control restart didn't make any difference.
Here is the output of moblock-control status:
Code:
$ sudo moblock-control status
Current iptables rules (this may take awhile):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x02
14 1729 ACCEPT udp -- * * 192.168.0.1 0.0.0.0/0
1 576 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 DROP all -- wlan0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
1595 1011K INBOUND all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
0 0 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
0 0 moblock_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.2 192.168.0.1 tcp dpt:53
14 887 ACCEPT udp -- * * 192.168.0.2 192.168.0.1 udp dpt:53
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
15 1964 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1649 201K OUTBOUND all -- * wlan0 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
0 0 moblock_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
1592 1011K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 144 LSI all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 221.195.56.54 0.0.0.0/0
0 0 DROP all -- * * 83.100.226.60 0.0.0.0/0
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
3 144 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
3 144 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
3 144 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1463 193K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
186 8312 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain moblock_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_in (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_out (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Please check if the above printed iptables rules are correct!
* moblock is running, pid is 6321.
Possibly by uninstalling firestarter might solve the problem.
Re: General MoBlock thread
The moblock_in etc. rules should be placed at the head of the INPUT etc. chains (not at the bottom as in your case).
This will be the case directly after "moblock-control restart". Did you execute this command before the "status" command? Were there any messages? What's in /var/log/moblock-control.log?
Re: General MoBlock thread
Oddly enough, after a system restart and uninstalling Firestarter, Moblock now works. However, I don't know why. The output of "status" was after restarting Moblock, and I don't recall there being any messages, though I might have forgotten.
The output of the log, before the restart was
Code:
Got SIGTERM! Dumping stats and exiting.
Duplicated range ( Bogo )
Ranges loaded: 242165
Merged ranges: 0
Skipped useless ranges: 0
NFQUEUE: binding to queue '0'
Now the output is the same, except with adresses blocked.
Here is the current output of the status command:
Code:
Current iptables rules (this may take awhile):
Chain INPUT (policy ACCEPT 1437 packets, 1341K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
24 22874 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 moblock_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 1217 packets, 147K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
97 5850 moblock_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain moblock_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/24
0 0 RETURN all -- * * 192.168.0.0/24 0.0.0.0/0
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_in (1 references)
pkts bytes target prot opt in out source destination
19 22173 RETURN all -- * * 192.168.0.0/24 0.0.0.0/0
5 701 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_out (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 66.114.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 194.109.137.218
0 0 RETURN all -- * * 0.0.0.0/0 66.150.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 130.57.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 69.31.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 207.46.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 64.4.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 65.55.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 65.54.0.0/16
12 750 RETURN all -- * * 0.0.0.0/0 192.168.0.0/24
85 5100 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Please check if the above printed iptables rules are correct!
* moblock is running, pid is 6233.
The moblock_in rules are still at the bottom of the INPUT etc. chains, but certain IPs are still being blocked. I assume that there must be another cause.
Re: General MoBlock thread
So what I meant to say is:
Every rule in the INPUT chain that is before moblock_in will be processed before the packets get to MoBlock.
You have the targets ACCEPT, DROP and other chains. Other chains themselves do the same: they ACCEPT, DROP or send packets back to INPUT. So we only need to look at ACCEPT and DROP:
If a packet will be DROPped anyway it doesn't matter if it is checked by MoBlock.
But if it gets ACCEPTed it will leave any further iptables processing, so it will not be checked by MoBlock.
Therefore you have to make sure that ACCEPT rules are only before MoBlock if they accept traffic that is not intended to be checked by MoBlock.
This is the INPUT chain you posted first:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x02
14 1729 ACCEPT udp -- * * 192.168.0.1 0.0.0.0/0
1 576 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 DROP all -- wlan0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
1595 1011K INBOUND all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
0 0 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
As you see there are many rules which ACCEPT traffic or send traffic to chains which contain an ACCEPT before your moblock_in. moblock_in should be the first or second rule in this chain.
The case in your second post is better:
Code:
Chain INPUT (policy ACCEPT 1437 packets, 1341K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
24 22874 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
One rule is before MoBlock and this rule simply accepts all traffic on the loopback device, which is ok.
So this was the long version of what I meant to say with "the moblock_in rule has to be at the head of the chain and not at the bottom".
Notes:
Since Moblock 0.9 with the MARKing feature traffic that is accepted by MoBlock is not ACCEPTed (in the sense that it will leave the iptables processing) but "marked accepted" which means that it will be processed by the other iptables rules.
(To be correct: the packets repeat the whole chain/hook function).
Up to MoBlock 0.8 traffic was ACCEPTed, this is the reason why 0.8 did not work with firestarter.
The above said is of course valid for OUTPUT and FORWARD, too.
jre
Re: General MoBlock thread
Great, I now understand what you meant, and how the second post is better.
Thanks a lot for your explanation, and also for Moblock, its a great program!
Re: General MoBlock thread
Quote:
Originally Posted by
jre
@ alonecity:
I need answers to these questions, too:
Is 192.168.200.0/24 your LAN (in doubt post the output of sudo ifconfig)? If not, then you should whitelist your LAN.
jre:
I don't have any web browsing at all. 192.168.200.xxx is indeed my lan
Code:
eth0 Link encap:Ethernet HWaddr 00:14:22:54:4e:6b
inet addr:192.168.200.101 Bcast:192.168.200.255 Mask:255.255.255.0
inet6 addr: fe80::214:22ff:fe54:4e6b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31932 errors:0 dropped:0 overruns:0 frame:0
TX packets:19232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44011705 (41.9 MB) TX bytes:1664221 (1.5 MB)
Interrupt:18 Base address:0xa000
Thank you
Edit: put the right tags.
Re: General MoBlock thread
I had a closer look at your iptables rules now. (Note: Please put them in CODE tags, it's a pain to read them this way).
Now I saw that you use IPList/IPBlock and MoBlock at the same time - don't do this, just use one of both, they have the same functionality.
There are two occassions where they conflict:
- They both bind to NFQUEUE, although IPList does not use the default QUEUE number (0) there still might occur problems.
- They both mark packets. I'm not sure if these MARKs are additional or replace each other.
I've just added a Conflict: iplist to the moblock package so that apt will refuse to install both at the same time.
jre
Re: General MoBlock thread
Thanks jre. I thought I had uninstalled IPlist properly but I went through an uninstall/reinstall/uninstall of IPlist and uninstal/reinstall for Moblock and it seems to be working now.
Re: General MoBlock thread
Hi
Hope you can help - am not a linux expert and know little about firewalls etc but here goes - hope you can help
Ok - i know i am doing something wrong here - situation so far is:
1) installed moblock through synaptic - following the instructions on the Ubuntu docs page am using ubuntu 8.04
I know this from the readme:
In the default configuration MoBlock starts at system boot and some preconfigured blocklists are updated once a day. You can specify the blocklists to use in /etc/moblock/blocklists.list. Everything else (automatic start and update, iptables handling, IP and port whitelisting) is configured in /etc/moblock/moblock.conf. This is important especially if MoBlock blocks sites that it should not block.
2) So i edited the /etc/default/moblock file to include this WHITE_TCP_OUT="http https" and then restart moblock
BUT it still seems to block everything
Can anyone tell me what i need to do to get browsing and ftp to work whilst still running moblock? I tried mobloquer which is a GUI but even using that it doesn't unblock stuff - very odd
does this help?
sudo moblock-control status
Current iptables rules (this may take awhile):
Chain INPUT (policy ACCEPT 3382 packets, 764K bytes)
pkts bytes target prot opt in out source destination
0 0 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
0 0 moblock_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
Chain OUTPUT (policy ACCEPT 3376 packets, 299K bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa reject-with icmp-port-unreachable
0 0 moblock_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
Chain moblock_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_in (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain moblock_out (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
I have firestarter installed but am totally confused as to whether the firewall works all the time or only when i start the Firestarter GUI
hope you can help
many thanks
doc
Re: General MoBlock thread
I guess you need to whitelist your LAN, including your router, too. If you don't know your local IP check it with "sudo ifconfig". It's the value after "inet addr:" of the interface that you use for networking. For wired connections that might be "eth0", for wireless connections "wlan0".
Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-192.168.0.255. Then whitelist this range with the following lines in /etc/default/moblock:
Code:
WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24"
After editing and a "moblock-control restart" you should be fine. Of course you can also do this with mobloquer.
firestarter is not a firewall itself but it just sets up the Linux firewall: iptables. All your iptables rules do belong to moblock, so there is no conflict.
Thanks for posting your iptables rules, that saved me some questions.
Greets
jre