General MoBlock thread

[johanholmquist]

lsmod returns absolutely nothing, no matter what I try...
the lsmod --help isn't very useful either: "Usage: lsmod".

I had a look around and found some old forum with someone that had the same problem. Just like that guy, my output from

Code:

# modprobe ls

is something like

Code:

kernel/drivers/scsi/scsi_wait_scan.ko

and nothing more.

Is it likely that recompiling the kernel will make lsmod work? Recompiling the kernel seems quite time-consuming, and judging by the manuals I'm sure it's not the easiest thing to do for a rookie... It's quite likely that I would end up with something else not working as it should. ^^ Is it my only way out?

[jre]

"lsmod" is a command to list the loaded kernel modules. So it doesn't do anything special, but just gives you information. You definitely should get some output if you just type

Code:

lsmod

. So please post the output of this pure "lsmod". The rest of my last command just filters the complete output to the relevant parts. Since you got no results there, I guess we are on the right way, since this indicates that the modules are not loaded.

Please try to manually load the relevant kernel module NFQUEUE. Chances are high that this doesn't happen automatically for some strange reasons on your side. So do

Code:

sudo modprobe xt_NFQUEUE
echo $?

. The second command will only work if it is issued as next command after the first. It will give "0" if the modprobe command was successful and another number otherwise. In doubt you may modprobe also all other modules that I listed in my last post. After doing that you may try the "lsmod" again.

For more information you might also send me some contents of the configuration file of your current kernel. Figure out the name of that file with

Code:

ls /boot/config-"$(uname -r)"

. E.g. here the actual file is called /boot/config-2.6.32-4-amd64. Then open that file in an editor and search for the passages

Code:

# Networking options

and

Code:

# Core Netfilter Configuration

and post its content here.

Finally please have a look at /var/log/blockcontrol.log to see whether there is something related to kernel modules.

[johanholmquist]

Code:

(johan@server)-(~) $ lsmod
Module                  Size  Used by

That's all I get from lsmod. :/ Doesn't matter if I sudo lsmod either, still no real output.

Code:

(johan@server)-(~) $ sudo modprobe xt_NFQUEUE
FATAL: Module xt_NFQUEUE not found.
(johan@server)-(~) $ echo $?
1

Code:

(johan@server)-(~) $ ls /boot/config-"$(uname -r)"
ls: cannot access /boot/config-2.6.32.8: No such file or directory

This seemed quite strange.. I don't have a configuration file? Here are the contents of /boot:

Code:

(johan@server)-(~) $ cd /boot
(johan@server)-(/boot) $ ls -a
.  ..  System.map  boot.0800  bzImage  coffee.bmp  debian.bmp  debianlilo.bmp  map  sarge.bmp  sid.bmp

Could it be RKhunter that hides it for some reason?

The path /lib/modules/2.6.32.8/kernel/ contains only one folder; /lib/modules/2.6.32.8/kernel/drivers. The only thing in that folder is another folder named "scsi", which contains the file "scsi_wait_scan.ko". It corresponds to writing the following:

Code:

(johan@server)-(/lib/modules/2.6.32.8/kernel/drivers/scsi) $ modprobe -ls
kernel/drivers/scsi/scsi_wait_scan.ko

It sure looks like I have only one (1) kernel module. A module that doesn't seem to be loaded.

Here's what I get in blockcontrol.log, repeating itself every 5 minutes:

Code:

2010-03-29 14:45:14 CEST Begin: blockcontrol restart
Stopping blockcontrol.wd   ...done.
Deleting iptables ...
   ...done.
Stopping moblock ...   ...done.
Inserting iptables ...
Allowing outbound traffic to DNS server XXX.XXX.XX.X   ...done.
Allowing forwarded traffic to DNS server XXX.XXX.XX.X   ...done.
Allowing outbound traffic to DNS server YYY.YYY.YY.Y   ...done.
Allowing forwarded traffic to DNS server YYY.YYY.YY.Y   ...done.
Allowing loopback traffic   ...done.
   ...done.
Starting moblock ...   ...done.
Starting blockcontrol.wd ...   ...done.
2010-03-29 14:45:14 CEST End: blockcontrol restart

Like I said, exactly 5 minutes later, it does a new blockcontrol restart (2010-03-29 14:50:14 CEST Begin: blockcontrol restart).

Anyway, I guess the real problem is the (lack of) kernel modules and config. Does that mean my iptables are ignored by the kernel as well?

[jre]

I can't find kernel 2.6.32.8 - neither in Karmic (Ubuntu 9.10) nor in lucid (10.04). So where did you get your kernel from? Have you tried the official kernel from the repository?

BTW, the /boot/config-... file is only there for informational use. It tells with which options your kernel was compiled.

From the description of RKHunter I doubt that it hides any files, or is in any other way responsible for your problems. I think RKHunter just checks your system and reports problems, but doesn't actually do anything.

[johanholmquist]

I've come to the conclusion that my dedicated server provider installs a custom kernel on their dedicated servers. This means I might have to compile my own "vanilla" kernel, using the config they provide in /usr/src as a base. (Apparently some of their mainboards have some sort of issues with AHCI (S-ATA) drivers included in kernels <=2.6.22 ... I think. There has to be some reason they don't use the standard kernel.)

I guess I could try installing a package from aptitude first, since the latest kernel is something like 2.6.31? Would you recommend "linux-386" or "linux-server"? Should I also install additional packages to ensure all the necessary moblock modules are included, like "linux-backports-modules-karmic"?
Will the installation "linux-server" change which kernel is used automatically, or do I have to change that somewhere?

I'm a complete newbie when it comes to these kernel-related things, I just install linux and assume everything works "automagically". Haven't run into any kernel problems at all when I've installed ubuntu and ubuntu server on several PCs here at home, but my server provider obviously installs a custom kernel on "clean" installs.

Thank you so much for all the help so far!

[jre]

Do you have physical access to your server? In that case you can simply try a kernel from the Ubuntu repository. I'm running Debian and am not familiar with Ubuntu's kernel flavors. But I think I'd first try linux-server before linux-386.

EDIT: I doubt that you need to install additional packages!

Without physical access you can't choose which kernel will be booted on boot time in the grub boot. Instead you have to do this before booting in the grub config file (instructions how to do that are on the web).
So then you have the risk of preselecting an unbootable kernel, which would require physical access in order to select a bootable kernel again.

So in this case I would omit the step of installing a kernel from the repository, and choose to directly compile your provider's kernel. I've done that myself years ago in my linux beginners time and found it is not too hard. Just follow official instructions (preferably those of your provider, or ask your provider directly for help, otherwise Ubuntu's). Then keep all configuration settings as they are, and simply add the netfilter support as modules. In the end your configuration file should have something like this, especially the bold lines are important:

Code:

#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
# CONFIG_XFRM_STATISTICS is not set
CONFIG_XFRM_IPCOMP=m
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=m
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
CONFIG_TCP_CONG_HSTCP=m
CONFIG_TCP_CONG_HYBLA=m
CONFIG_TCP_CONG_VEGAS=m
CONFIG_TCP_CONG_SCALABLE=m
CONFIG_TCP_CONG_LP=m
CONFIG_TCP_CONG_VENO=m
CONFIG_TCP_CONG_YEAH=m
CONFIG_TCP_CONG_ILLINOIS=m
# CONFIG_DEFAULT_BIC is not set
CONFIG_DEFAULT_CUBIC=y
# CONFIG_DEFAULT_HTCP is not set
# CONFIG_DEFAULT_VEGAS is not set
# CONFIG_DEFAULT_WESTWOOD is not set
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_TCP_MD5SIG=y
CONFIG_IPV6=y
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=y
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_PIMSM_V2=y
# CONFIG_NETLABEL is not set
CONFIG_NETWORK_SECMARK=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_DCCP=m
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_CT_PROTO_UDPLITE=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_IPV6 is not set
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12

[jre]

@johanholmquist:
blockcontrol should have correctly reported what is going wrong. Obviously it didn't do that. So please help me to improve blockcontrol and send me the output of the following commands (while running your old kernel):

Code:

[ -f /proc/net/ip_tables_targets ]
echo $?
grep -q NFQUEUE /proc/net/ip_tables_targets
echo $?
modprobe -q xt_NFQUEUE
echo $?
modprobe -q ipt_NFQUEUE
echo $?

[ -f /proc/net/ip_queue ]
echo $?
modprobe -q ip_queue
echo $?

[ -f /proc/net/ip_tables_matches ]
echo $?
grep -q mark /proc/net/ip_tables_matches
echo $?
modprobe -q xt_mark
echo $?
modprobe -q ipt_mark
echo $?

[ -f /proc/net/ip_tables_matches ]
echo $?
grep -q state /proc/net/ip_tables_matches
echo $?
modprobe -q xt_state
echo $?
modprobe -q ipt_state
echo $?

[ -f /proc/net/ip_tables_matches ]
echo $?
grep -q iprange /proc/net/ip_tables_matches
echo $?
modprobe -q xt_iprange
echo $?
modprobe -q ipt_iprange
echo $?

ls -l /bin/sh
blockcontrol show_config

[lovinglinux]

Hi jre, how are you doing?

I'm wondering when a ppa for Lucid will be available? I'm currently using the Karmic ppa and it is working fine, but I don't know if I could experience any issues by doing this.

Not making any pressure. I'm just addicted to moblock

[jre]

I'm just working on releasing pgl. Only drawbacks: no GUI yet and no debian transition for automatic updates from moblock. But the latter is only necessary if the first is available.
Debian packages of pgl will be available for Debian squeeze and sid and Ubuntu karmic and lucid. (I won't support any older releases, that's just too time consuming. But since lucid is a LTS that will be ok).
So when I've done that I might do lcuid packages of the rest, too. Perhaps even earlier.
I'll give you an update here.

Besides that, you might have noted that I greatly reduced my work on this stuff. I had a few months with nearly zero time commitment and I doubt that I will ever spend as much time as in the past on this. But on the other site I always enjoy it, when I work on this stuff. And your question came at the best time to motivate me to do what I just wrote above. And as always a big thank you for your active work here in the forum, lovinglinux. This helps me to find time for development.

[lovinglinux]

I'm just working on releasing pgl. Only drawbacks: no GUI yet and no debian transition for automatic updates from moblock. But the latter is only necessary if the first is available.
Debian packages of pgl will be available for Debian squeeze and sid and Ubuntu karmic and lucid. (I won't support any older releases, that's just too time consuming. But since lucid is a LTS that will be ok).
So when I've done that I might do lcuid packages of the rest, too. Perhaps even earlier.
I'll give you an update here.

Besides that, you might have noted that I greatly reduced my work on this stuff. I had a few months with nearly zero time commitment and I doubt that I will ever spend as much time as in the past on this. But on the other site I always enjoy it, when I work on this stuff. And your question came at the best time to motivate me to do what I just wrote above. And as always a big thank you for your active work here in the forum, lovinglinux. This helps me to find time for development.

That was fast

I don't know if I understood correctly, but are you saying PeerGuardian for Linux is being revived? Does it replaces moblock?

I understand the commitment issues. I have been thinking about stopping providing a Windows version of one of my Firefox extensions. It doesn't work 100% as the Linux version and is just too time consuming to make it. Besides, I hate having to boot into Windows. I feel completely lost. I need to focus on polishing the Linux version, so Mozilla can approve it for public download. Need to prioritize the development time available.

Thanks for the great work.